Edit tour

Windows Analysis Report
DF2.exe

Overview

General Information

Sample name:	DF2.exe
Analysis ID:	1583067
MD5:	9b41d60958d07cdfd3cbc58fbb56cea7
SHA1:	da86bea1b0de55fed13464a374e2f724ce38aee7
SHA256:	7949f04cffb4daf9fa6c4774e2a9b18962c4f6157cd91f717e3089f49c9c754d
Tags:	exeuser-aachum
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Found Tor onion address

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Modifies Windows Defender protection settings

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality to call native functions

Contains functionality to create new users

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

DF2.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\DF2.exe" MD5: 9B41D60958D07CDFD3CBC58FBB56CEA7)

DF2.exe (PID: 6696 cmdline: C:\Users\user\Desktop\DF2.exe MD5: 9B41D60958D07CDFD3CBC58FBB56CEA7)

cmd.exe (PID: 6840 cmdline: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7032 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 1740 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7012 cmdline: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

w8m7wmyk939oczmkw4o2h16hs.exe (PID: 3068 cmdline: "C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe" MD5: 319865D78CC8DF6270E27521B8182BFF)

nju2apmx83wqd9u7namsf59y.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe" MD5: 2F829F1CB631D234C54F2E6C6F72EB57)

taskkill.exe (PID: 3220 cmdline: taskkill.exe /F /FI "SERVICES eq RDP-Controller" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5756 cmdline: sc.exe stop RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6652 cmdline: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7116 cmdline: sc.exe failure RDP-Controller reset= 1 actions= restart/10000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7136 cmdline: sc.exe start RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 5324 cmdline: icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18 MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 1508 cmdline: icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

main.exe (PID: 7100 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: BB070CFBD23A7BC6F2A0F8F6D167D207)

WerFault.exe (PID: 6844 cmdline: C:\Windows\system32\WerFault.exe -u -p 7100 -s 1220 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 6308 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 5252 cmdline: C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

main.exe (PID: 6764 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: BB070CFBD23A7BC6F2A0F8F6D167D207)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, NewProcessName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, OriginalFileName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5252, ProcessCommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ProcessId: 7100, ProcessName: main.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6840, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 7032, ProcessName: powershell.exe

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe, ParentProcessId: 7028, ParentProcessName: nju2apmx83wqd9u7namsf59y.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 6652, ProcessName: sc.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 68.183.196.133, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, Initiated: true, ProcessId: 7100, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49738

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6840, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", ProcessId: 7012, ProcessName: powershell.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe, ParentProcessId: 7028, ParentProcessName: nju2apmx83wqd9u7namsf59y.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 6652, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6840, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 7032, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6308, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://netdb.i2p2.no/	Avira URL Cloud: Label: malware
Source: https://reseed2.i2p.net/r	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/9	Avira URL Cloud: Label: malware
Source: https://reseed.diva.exchange/	Avira URL Cloud: Label: malware
Source: https://reseed2.i2p.net/	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org:443/i2pseeds.su3	Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/i2pseeds.su3	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Avira: detection malicious, Label: TR/AVI.Agent.jibab

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	ReversingLabs: Detection: 26%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	ReversingLabs: Detection: 31%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	ReversingLabs: Detection: 69%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	ReversingLabs: Detection: 57%
Source: C:\Windows\Temp\6KasAPG0	ReversingLabs: Detection: 26%
Source: C:\Windows\Temp\DiEI7oU1	ReversingLabs: Detection: 69%
Source: C:\Windows\Temp\yGODxgsj	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source:	Binary string: RfxVmt.pdb source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.21.dr, update.pkg.10.dr
Source:	Binary string: RfxVmt.pdbGCTL source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.21.dr, update.pkg.10.dr

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E16387F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	21_2_00007FFE0E16387F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E1638C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	21_2_00007FFE0E1638C3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE117738C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	32_2_00007FFE117738C3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1177387F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,	32_2_00007FFE1177387F

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CC3DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	5_2_00007FF764CC3DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A901CF3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FF76A901CF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E166233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE0E166233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0EB4B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE0EB4B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11504013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE11504013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11EC5013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE11EC5013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11776233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11776233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11BDB333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11BDB333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11EC4013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11EC4013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126D5013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE126D5013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE132057B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE132057B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE133031F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE133031F3

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FF76A90737B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FFE0E16A13B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FFE0EB47DFB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FFE1150967B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	21_2_00007FFE11ECA67B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE1177A13B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE11BD7DFB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE11EC967B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE126DA67B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE1320293B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 4x nop then lea r9, qword ptr [r8-01h]	32_2_00007FFE13309BBB

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 5.181.20.93 ports 2,3,6,26893,8,9
Source: global traffic	TCP traffic: 78.58.99.133 ports 1,2,4,6,29641,9
Source: global traffic	TCP traffic: 95.164.4.146 ports 21309,0,1,2,3,9
Source: global traffic	TCP traffic: 88.228.207.122 ports 16453,1,3,4,5,6
Source: global traffic	TCP traffic: 89.35.131.34 ports 0,1,31750,3,5,7
Source: global traffic	TCP traffic: 81.168.83.201 ports 18290,0,1,2,8,9
Source: global traffic	TCP traffic: 173.68.123.78 ports 0,2,3,4,5,25043
Source: global traffic	TCP traffic: 212.116.61.165 ports 24605,0,2,4,5,6
Source: global traffic	TCP traffic: 38.40.94.251 ports 28976,2,6,7,8,9
Source: global traffic	TCP traffic: 81.136.49.129 ports 0,2,3,6,8,28063
Source: global traffic	TCP traffic: 68.149.143.121 ports 0,1,6,7,8,10687

Found Tor onion address

Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/6
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/b
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/s
Source: main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000015.00000002.2484200859.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000020.00000003.2599837625.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000003.2599705548.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000003.2599641838.00000200A08F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000002.2913383515.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000003.2600230754.00000200A0506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/I
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/T
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/E
Source: libi2p.dll.21.dr	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: update.pkg.10.dr	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: w8m7wmyk939oczmkw4o2h16hs.exe.1.dr

Static PE information: Found NDIS imports: FwpmEngineClose0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmFilterDeleteByKey0, FwpmFreeMemory0, FwpmProviderAdd0, FwpmProviderCreateEnumHandle0, FwpmProviderDestroyEnumHandle0, FwpmProviderEnum0

Source: unknown

Network traffic detected: IP country count 25

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 45.200.148.158:1129
Source: global traffic	TCP traffic: 192.168.2.4:49808 -> 15.204.11.249:11623
Source: global traffic	TCP traffic: 192.168.2.4:49809 -> 51.83.132.16:20700
Source: global traffic	TCP traffic: 192.168.2.4:49810 -> 185.82.217.48:14412
Source: global traffic	TCP traffic: 192.168.2.4:49811 -> 194.54.156.174:1941
Source: global traffic	TCP traffic: 192.168.2.4:49812 -> 80.76.34.140:14505
Source: global traffic	TCP traffic: 192.168.2.4:49813 -> 88.228.207.122:16453
Source: global traffic	TCP traffic: 192.168.2.4:49814 -> 5.181.20.93:26893
Source: global traffic	TCP traffic: 192.168.2.4:49820 -> 125.212.237.207:9325
Source: global traffic	TCP traffic: 192.168.2.4:49821 -> 66.176.202.101:17154
Source: global traffic	TCP traffic: 192.168.2.4:49822 -> 38.40.94.251:28976
Source: global traffic	TCP traffic: 192.168.2.4:49823 -> 46.0.4.103:18202
Source: global traffic	TCP traffic: 192.168.2.4:49824 -> 81.162.25.200:30484
Source: global traffic	TCP traffic: 192.168.2.4:50036 -> 85.242.211.221:37987
Source: global traffic	TCP traffic: 192.168.2.4:50037 -> 212.116.61.165:24605
Source: global traffic	TCP traffic: 192.168.2.4:50038 -> 173.68.123.78:25043
Source: global traffic	TCP traffic: 192.168.2.4:50039 -> 95.164.4.146:21309
Source: global traffic	TCP traffic: 192.168.2.4:50040 -> 59.110.52.4:11876
Source: global traffic	TCP traffic: 192.168.2.4:50041 -> 193.34.123.42:11721
Source: global traffic	TCP traffic: 192.168.2.4:50042 -> 188.120.244.218:2632
Source: global traffic	TCP traffic: 192.168.2.4:50043 -> 110.239.62.148:22444
Source: global traffic	TCP traffic: 192.168.2.4:50044 -> 104.244.227.121:11334
Source: global traffic	TCP traffic: 192.168.2.4:50045 -> 89.35.131.34:31750
Source: global traffic	TCP traffic: 192.168.2.4:50046 -> 107.161.80.18:5022
Source: global traffic	TCP traffic: 192.168.2.4:50047 -> 37.120.171.64:29956
Source: global traffic	TCP traffic: 192.168.2.4:50048 -> 85.24.237.45:18608
Source: global traffic	TCP traffic: 192.168.2.4:50050 -> 82.64.105.181:13166
Source: global traffic	TCP traffic: 192.168.2.4:50051 -> 173.249.2.110:52911
Source: global traffic	TCP traffic: 192.168.2.4:50052 -> 23.137.250.43:24642
Source: global traffic	TCP traffic: 192.168.2.4:50053 -> 81.136.49.129:28063
Source: global traffic	TCP traffic: 192.168.2.4:50054 -> 50.35.91.100:27295
Source: global traffic	TCP traffic: 192.168.2.4:50055 -> 195.52.175.104:28212
Source: global traffic	TCP traffic: 192.168.2.4:50056 -> 68.149.143.121:10687
Source: global traffic	TCP traffic: 192.168.2.4:50057 -> 78.46.239.124:6802
Source: global traffic	TCP traffic: 192.168.2.4:50058 -> 78.58.99.133:29641
Source: global traffic	TCP traffic: 192.168.2.4:50059 -> 73.247.24.93:4965
Source: global traffic	TCP traffic: 192.168.2.4:50061 -> 149.106.159.60:11959
Source: global traffic	TCP traffic: 192.168.2.4:50062 -> 72.68.225.51:16190
Source: global traffic	TCP traffic: 192.168.2.4:50063 -> 81.168.83.201:18290
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 67.223.218.98:27892
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 118.211.240.78:27644
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 190.62.46.158:9548
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 157.161.57.70:17777
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 162.19.153.65:18297
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 100.4.223.210:25303
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 108.180.0.49:25004
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 89.66.70.5:26711
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 93.94.147.180:28372
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 87.180.222.251:19608
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 173.59.19.119:13311
Source: global traffic	UDP traffic: 192.168.2.4:18686 -> 95.188.183.13:17107
Source: global traffic	UDP traffic: 192.168.2.4:9525 -> 116.202.17.147:25190
Source: global traffic	UDP traffic: 192.168.2.4:9525 -> 123.57.221.156:9920
Source: global traffic	UDP traffic: 192.168.2.4:9525 -> 194.110.247.42:27073
Source: global traffic	UDP traffic: 192.168.2.4:9525 -> 120.26.218.134:11856

Source: Joe Sandbox View

ASN Name: XTOMxTomEU XTOMxTomEU

Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknown	TCP traffic detected without corresponding DNS query: 45.200.148.158

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FFE0E162A1A recv,WSAGetLastError,

21_2_00007FFE0E162A1A

Source: global traffic	HTTP traffic detected: GET https://reseed.i2pgit.org:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global traffic	HTTP traffic detected: GET https://reseed.diva.exchange:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close

Source: global traffic	DNS traffic detected: DNS query: reseed.i2pgit.org
Source: global traffic	DNS traffic detected: DNS query: reseed.diva.exchange

Source: main.exe, 00000020.00000003.2586057584.00000200A04A8000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: http://127.0.0.1:8118
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: http://identiguy.i2p/hosts.txt
Source: main.exe, 00000020.00000003.2599837625.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2599705548.00000200A08D0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2599641838.00000200A08F0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2600230754.00000200A0506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: update.pkg.10.dr	String found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 00000020.00000002.2911993076.00000200A04CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtC
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: http://rus.i2p/hosts.txt
Source: update.pkg.10.dr	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtn
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://banana.incognet.io/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://banana.incognet.io/;
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://i2p.ghativega.in/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2482716452.000001DE39E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i2p.ghativega.in/b.cW
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://i2p.mooo.com/netDb/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://i2p.novg.net/
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: main.exe, 00000015.00000002.2482819721.000001DE3A1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/i
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://netdb.i2p2.no/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-pl.i2pd.xyz/d
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.diva.exchange/
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, update.pkg.10.dr	String found in binary or memory: https://reseed.i2p-projekt.de/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.i2pgit.org/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org/9
Source: main.exe, 00000015.00000002.2482819721.000001DE3A1A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org/i2pseeds.su3
Source: main.exe, 00000015.00000003.1876236118.000001DE39E3A000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000003.1876537527.000001DE39E39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org:443/i2pseeds.su3
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.memcpy.io/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.memcpy.io/b.ci
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/6
Source: main.exe, main.exe, 00000020.00000002.2913383515.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/E
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/I
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/T
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/b
Source: main.exe, 00000015.00000002.2482716452.000001DE39D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/s
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://reseed2.i2p.net/
Source: main.exe, 00000015.00000003.1876574866.000001DE39E28000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000002.2482716452.000001DE39E17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/r
Source: main.exe, 00000020.00000002.2911993076.00000200A046D000.00000004.00000020.00020000.00000000.sdmp, libi2p.dll.21.dr, update.pkg.10.dr	String found in binary or memory: https://www2.mk16.de/
Source: main.exe, 00000020.00000002.2911993076.00000200A04CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.mk16.de/76
Source: main.exe, 00000015.00000002.2482716452.000001DE39DB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.mk16.de/8

Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC929A inet_addr,ntohl,

5_2_00007FF764CC929A

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC292E strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError,

5_2_00007FF764CC292E

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File deleted: C:\Windows\Temp\Z8JRj7qu

Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_029953EA	0_2_029953EA
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02985B3E	0_2_02985B3E
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02984B4A	0_2_02984B4A
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_029860CE	0_2_029860CE
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0299701E	0_2_0299701E
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0299D122	0_2_0299D122
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02987F2E	0_2_02987F2E
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02989CF6	0_2_02989CF6
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0298CDA6	0_2_0298CDA6
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CCDE8A	5_2_00007FF764CCDE8A
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CCE4E0	5_2_00007FF764CCE4E0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A90C4C0	21_2_00007FF76A90C4C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A912098	21_2_00007FF76A912098
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E1709C0	21_2_00007FFE0E1709C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0EB525F0	21_2_00007FFE0EB525F0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE1150F020	21_2_00007FFE1150F020
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11ECEB40	21_2_00007FFE11ECEB40
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE117809C0	32_2_00007FFE117809C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11BE25F0	32_2_00007FFE11BE25F0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11ECF020	32_2_00007FFE11ECF020
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126DEB40	32_2_00007FFE126DEB40
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1320A8B5	32_2_00007FFE1320A8B5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1320A78B	32_2_00007FFE1320A78B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1320A643	32_2_00007FFE1320A643
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE13210710	32_2_00007FFE13210710
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1320A558	32_2_00007FFE1320A558
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1330CBC0	32_2_00007FFE1330CBC0

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll 5E38EA7E3DD96FE1C6BB2EBA38C7BDE638C6B6E7898F906E343D9500AFF86499
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll 0B628EA2BA9CD77621D90A0A7456659ED86C118EB7655F6074B3B5648BAC0A02
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll 64B09FAC89FC9645DFE624D832BB2FF2FC8BA6BA9BC1A96C6EEE8C7F9C021266

Source: C:\Windows\System32\icacls.exe

Process token adjusted: Security

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11501292 appears 394 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11EC1292 appears 394 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE13201292 appears 377 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE1330A202 appears 345 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0E161292 appears 462 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11BD1292 appears 515 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE126D2FD2 appears 387 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11771292 appears 462 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11EC2FD2 appears 387 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FF76A9099E2 appears 303 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0EB41292 appears 515 times
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: String function: 00007FF764CC14E2 appears 295 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100

Source: termsrv32.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: 5P46VR1V.21.dr	Static PE information: Number of sections : 11 > 10
Source: samctl.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: LcUJSdZq.21.dr	Static PE information: Number of sections : 11 > 10
Source: DF2.exe	Static PE information: Number of sections : 11 > 10
Source: YERHbDgw.21.dr	Static PE information: Number of sections : 11 > 10
Source: cnccli.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: evtsrv.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: DiEI7oU1.21.dr	Static PE information: Number of sections : 11 > 10
Source: libi2p.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: bT51Gn7Q.21.dr	Static PE information: Number of sections : 11 > 10
Source: DkzUMxZ8.21.dr	Static PE information: Number of sections : 11 > 10
Source: prgmgr.dll.21.dr	Static PE information: Number of sections : 11 > 10
Source: 6KasAPG0.21.dr	Static PE information: Number of sections : 11 > 10
Source: yGODxgsj.21.dr	Static PE information: Number of sections : 11 > 10
Source: rdpctl.dll.21.dr	Static PE information: Number of sections : 11 > 10

Source: DF2.exe, 00000000.00000002.1655842476.0000000002A3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs DF2.exe
Source: DF2.exe, 00000000.00000000.1653343153.0000000000B46000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIntegrator.exe@ vs DF2.exe
Source: DF2.exe, 00000001.00000002.2911163955.00000000028CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs DF2.exe
Source: DF2.exe	Binary or memory string: OriginalFilenameIntegrator.exe@ vs DF2.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@45/74@2/59

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC855D CreateToolhelp32Snapshot,Process32First,Process32Next,GetLastError,GetLastError,GetLastError,OpenProcess,QueryFullProcessImageNameW,GetLastError,CloseHandle,GetLastError,CloseHandle,

5_2_00007FF764CC855D

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC1A19 FindResourceA,LoadResource,GetLastError,GetLastError,GetLastError,GetLastError,

5_2_00007FF764CC1A19

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FF76A908C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

21_2_00007FF76A908C4A

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FF76A908C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

21_2_00007FF76A908C4A

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess7100
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03

Source: C:\Users\user\Desktop\DF2.exe

File created: C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat

Jump to behavior

Source: C:\Users\user\Desktop\DF2.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat"

Source: DF2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

File read: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: C:\Users\user\Desktop\DF2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: DF2.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: DF2.exe	String found in binary or memory: application/vnd.groove-help
Source: DF2.exe	String found in binary or memory: "application/x-install-instructions

Source: unknown	Process created: C:\Users\user\Desktop\DF2.exe "C:\Users\user\Desktop\DF2.exe"
Source: unknown	Process created: C:\Users\user\Desktop\DF2.exe C:\Users\user\Desktop\DF2.exe
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe "C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe"
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 1220
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\Desktop\DF2.exe C:\Users\user\Desktop\DF2.exe	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\4zy7r31p1gb90h9v8yoiitu76a64kr0m.bat"	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe "C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Process created: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe "C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 1220
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\DF2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

File written: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DF2.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: DF2.exe

Static file information: File size 8630784 > 1048576

Source: DF2.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x69ac00

Source:	Binary string: RfxVmt.pdb source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.21.dr, update.pkg.10.dr
Source:	Binary string: RfxVmt.pdbGCTL source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp, main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.21.dr, update.pkg.10.dr

Source: rfxvmt.dll.21.dr

Static PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CCFF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

5_2_00007FF764CCFF1F

Source: DF2.exe	Static PE information: section name: .didata
Source: w8m7wmyk939oczmkw4o2h16hs.exe.1.dr	Static PE information: section name: .xdata
Source: nju2apmx83wqd9u7namsf59y.exe.1.dr	Static PE information: section name: .xdata
Source: main.exe.10.dr	Static PE information: section name: .xdata
Source: termsrv32.dll.21.dr	Static PE information: section name: .xdata
Source: rdpctl.dll.21.dr	Static PE information: section name: .xdata
Source: samctl.dll.21.dr	Static PE information: section name: .xdata
Source: prgmgr.dll.21.dr	Static PE information: section name: .xdata
Source: dwlmgr.dll.21.dr	Static PE information: section name: .xdata
Source: cnccli.dll.21.dr	Static PE information: section name: .xdata
Source: libi2p.dll.21.dr	Static PE information: section name: .xdata
Source: evtsrv.dll.21.dr	Static PE information: section name: .xdata
Source: DkzUMxZ8.21.dr	Static PE information: section name: .xdata
Source: bT51Gn7Q.21.dr	Static PE information: section name: .xdata
Source: LcUJSdZq.21.dr	Static PE information: section name: .xdata
Source: 5P46VR1V.21.dr	Static PE information: section name: .xdata
Source: 6KasAPG0.21.dr	Static PE information: section name: .xdata
Source: YERHbDgw.21.dr	Static PE information: section name: .xdata
Source: yGODxgsj.21.dr	Static PE information: section name: .xdata
Source: DiEI7oU1.21.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0299F262 push es; retf	0_2_0299F263
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_0298675D push esi; ret	0_2_0298675F
Source: C:\Users\user\Desktop\DF2.exe	Code function: 0_2_02983D4E push eax; iretd	0_2_02983D4F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11ECFC37 push rsp; ret	21_2_00007FFE11ECFC38
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126DFC37 push rsp; ret	32_2_00007FFE126DFC38

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FFE0E16521B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile,

21_2_00007FFE0E16521B

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DiEI7oU1	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DkzUMxZ8	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\yGODxgsj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\LcUJSdZq	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\YERHbDgw	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\5P46VR1V	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\2s3EMNnh	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\bT51Gn7Q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DF2.exe	File created: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6KasAPG0	Jump to dropped file
Source: C:\Users\user\Desktop\DF2.exe	File created: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DiEI7oU1	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DkzUMxZ8	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\yGODxgsj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\LcUJSdZq	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\YERHbDgw	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\5P46VR1V	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\2s3EMNnh	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\bT51Gn7Q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6KasAPG0	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\2s3EMNnh	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DkzUMxZ8	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\bT51Gn7Q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\LcUJSdZq	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\5P46VR1V	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6KasAPG0	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\YERHbDgw	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\yGODxgsj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DiEI7oU1	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FF76A908C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

21_2_00007FF76A908C4A

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1923002401.00007FF67A05E000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000015.00000002.2482101115.000001DE3994F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000015.00000002.2484520770.00007FFE0E174000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000020.00000002.2913723801.00007FFE11784000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000020.00000002.2913723801.00007FFE11784000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: update.pkg.10.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: update.pkg.10.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18

Source: C:\Users\user\Desktop\DF2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,		21_2_00007FFE0EB434F4
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,		32_2_00007FFE11BD34F4

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	21_2_00007FFE0E162BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	21_2_00007FFE0EB45728
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	21_2_00007FFE11502BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	21_2_00007FFE11EC2CE8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE11772BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE11BD5728
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE11EC2BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE126D2CE8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE13202278
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	32_2_00007FFE13301D98

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6231	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3507	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8187	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1433	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7756	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1656	Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\DiEI7oU1	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\DkzUMxZ8	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\yGODxgsj	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\LcUJSdZq	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\YERHbDgw	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\5P46VR1V	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\2s3EMNnh	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\bT51Gn7Q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\6KasAPG0	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_21-44015

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-9999

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	API coverage: 9.9 %
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	API coverage: 9.2 %

Source: C:\Users\user\Desktop\DF2.exe TID: 6724	Thread sleep time: -23760000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124	Thread sleep count: 6231 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120	Thread sleep count: 3507 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3940	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4960	Thread sleep count: 8187 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1136	Thread sleep count: 1433 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6476	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5480	Thread sleep count: 7756 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5480	Thread sleep count: 1656 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6892	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 6412	Thread sleep count: 79 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 6412	Thread sleep time: -39500s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1260	Thread sleep count: 79 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1260	Thread sleep time: -39500s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 7152	Thread sleep count: 51 > 30

Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\DF2.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Users\user\Desktop\DF2.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CC3DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	5_2_00007FF764CC3DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A901CF3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FF76A901CF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E166233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE0E166233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0EB4B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE0EB4B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11504013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE11504013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11EC5013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	21_2_00007FFE11EC5013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11776233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11776233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11BDB333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11BDB333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11EC4013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE11EC4013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126D5013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE126D5013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE132057B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE132057B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE133031F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	32_2_00007FFE133031F3

Source: C:\Users\user\Desktop\DF2.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: nju2apmx83wqd9u7namsf59y.exe, 0000000A.00000002.1922920739.0000023EDEF58000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000015.00000003.1866710630.000001DE38CBC000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2911699496.000002009FE88000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: DF2.exe, 00000001.00000002.2910782778.0000000000E01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEE
Source: main.exe, 00000015.00000002.2481928274.000001DE38C9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll33

Source: C:\Users\user\Desktop\DF2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CCFF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

5_2_00007FF764CCFF1F

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC45D5 fopen,_fsopen,fseek,_errno,_errno,_errno,_errno,_errno,_errno,_errno,_errno,ftell,_errno,_errno,_errno,_errno,fseek,fread,_errno,_errno,_errno,_errno,GetProcessHeap,HeapAlloc,_errno,_errno,_errno,_errno,GetProcessHeap,HeapFree,fclose,

5_2_00007FF764CC45D5

Source: C:\Users\user\Desktop\DF2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CC1131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,	5_2_00007FF764CC1131
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CD05D9 SetUnhandledExceptionFilter,	5_2_00007FF764CD05D9
Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe	Code function: 5_2_00007FF764CDB6A0 SetUnhandledExceptionFilter,	5_2_00007FF764CDB6A0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FF76A901131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,	21_2_00007FF76A901131

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

5_2_00007FF764CC292E

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 448 -p 7100 -ip 7100
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 1220

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\w8m7wmyk939oczmkw4o2h16hs.exe

Code function: 5_2_00007FF764CC6FD5 GetSystemTimeAsFileTime,

5_2_00007FF764CC6FD5

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 21_2_00007FFE0E1638C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

21_2_00007FFE0E1638C3

Source: C:\Users\user\AppData\Local\Temp\nju2apmx83wqd9u7namsf59y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: w8m7wmyk939oczmkw4o2h16hs.exe, 00000005.00000002.1697339890.0000023B624D8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: MsMpEng.exe

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0E16240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	21_2_00007FFE0E16240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE0EB44F8A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	21_2_00007FFE0EB44F8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE1150240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	21_2_00007FFE1150240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 21_2_00007FFE11EC254A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	21_2_00007FFE11EC254A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1177240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE1177240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11BD4F8A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE11BD4F8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11EC240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE11EC240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE126D254A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE126D254A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE13201ADA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE13201ADA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE133015FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	32_2_00007FFE133015FA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1331B820 listen,htons,recv,select,	32_2_00007FFE1331B820
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1331B7E8 bind,	32_2_00007FFE1331B7E8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1330A7F1 bind,	32_2_00007FFE1330A7F1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	1 Network Sniffing	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Create Account	2 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Service Execution	2 Valid Accounts	4 Windows Service	1 Timestomp	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	4 Windows Service	11 Process Injection	1 DLL Side-Loading	LSA Secrets	1 Network Sniffing	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 File Deletion	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	1 Network Share Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	131 Security Software Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Access Token Manipulation	/etc/passwd and /etc/shadow	31 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	2 Process Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	1 Application Window Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Users	Keylogging	1 System Owner/User Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Services File Permissions Weakness	GUI Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
DF2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DF2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
DF2.exe