Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7RryusxiMtHBz80.exe

Overview

General Information

Sample name:7RryusxiMtHBz80.exe
Analysis ID:1623477
MD5:4bdc5e698f6016a3c1d15e2d8fe5c688
SHA1:4696280dd50fbabdc6e96438d27fa08f3a29fa44
SHA256:7b1d37ad80336e2eda4720deb2dd61b353c9ea2071f9cc2564b4fe28d2ca775c
Tags:exeLokiuser-threatcat_ch
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Lokibot
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected aPLib compressed binary
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7RryusxiMtHBz80.exe (PID: 7080 cmdline: "C:\Users\user\Desktop\7RryusxiMtHBz80.exe" MD5: 4BDC5E698F6016A3C1D15E2D8FE5C688)
    • powershell.exe (PID: 6980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5480 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7256 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7288 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • powershell.exe (PID: 7556 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7636 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp660C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegSvcs.exe (PID: 7832 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • RegSvcs.exe (PID: 7840 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • RegSvcs.exe (PID: 7856 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • zkqXnJkrWmp.exe (PID: 7340 cmdline: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe MD5: 4BDC5E698F6016A3C1D15E2D8FE5C688)
    • schtasks.exe (PID: 8100 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp7DF9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5480 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 1808 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • VKLIKWXJXPZTHN.exe (PID: 7848 cmdline: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
      0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
          • 0x19c44:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
          0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_0f421617unknownunknown
          • 0x6ff7:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
          Click to see the 32 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          22.2.RegSvcs.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
            22.2.RegSvcs.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              22.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                22.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
                • 0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
                22.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
                • 0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
                Click to see the 37 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", ParentImage: C:\Users\user\Desktop\7RryusxiMtHBz80.exe, ParentProcessId: 7080, ParentProcessName: 7RryusxiMtHBz80.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", ProcessId: 6980, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", ParentImage: C:\Users\user\Desktop\7RryusxiMtHBz80.exe, ParentProcessId: 7080, ParentProcessName: 7RryusxiMtHBz80.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", ProcessId: 6980, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp7DF9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp7DF9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe, ParentImage: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe, ParentProcessId: 7340, ParentProcessName: zkqXnJkrWmp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp7DF9.tmp", ProcessId: 8100, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", ParentImage: C:\Users\user\Desktop\7RryusxiMtHBz80.exe, ParentProcessId: 7080, ParentProcessName: 7RryusxiMtHBz80.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp", ProcessId: 5480, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", ParentImage: C:\Users\user\Desktop\7RryusxiMtHBz80.exe, ParentProcessId: 7080, ParentProcessName: 7RryusxiMtHBz80.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", ProcessId: 6980, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\7RryusxiMtHBz80.exe", ParentImage: C:\Users\user\Desktop\7RryusxiMtHBz80.exe, ParentProcessId: 7080, ParentProcessName: 7RryusxiMtHBz80.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp", ProcessId: 5480, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-25T09:17:19.155999+010020243121A Network Trojan was detected192.168.2.449738104.21.64.180TCP
                2025-02-25T09:17:21.114109+010020243121A Network Trojan was detected192.168.2.449739104.21.64.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-25T09:17:18.389075+010020253811Malware Command and Control Activity Detected192.168.2.449738104.21.64.180TCP
                2025-02-25T09:17:20.344240+010020253811Malware Command and Control Activity Detected192.168.2.449739104.21.64.180TCP
                2025-02-25T09:17:21.481999+010020253811Malware Command and Control Activity Detected192.168.2.449740104.21.64.180TCP
                2025-02-25T09:17:23.453334+010020253811Malware Command and Control Activity Detected192.168.2.449745104.21.64.180TCP
                2025-02-25T09:17:25.530952+010020253811Malware Command and Control Activity Detected192.168.2.449749104.21.64.180TCP
                2025-02-25T09:17:27.569756+010020253811Malware Command and Control Activity Detected192.168.2.449751104.21.64.180TCP
                2025-02-25T09:17:29.486072+010020253811Malware Command and Control Activity Detected192.168.2.449752104.21.64.180TCP
                2025-02-25T09:17:31.422868+010020253811Malware Command and Control Activity Detected192.168.2.449753104.21.64.180TCP
                2025-02-25T09:17:33.307597+010020253811Malware Command and Control Activity Detected192.168.2.449754104.21.64.180TCP
                2025-02-25T09:17:35.229716+010020253811Malware Command and Control Activity Detected192.168.2.449755104.21.64.180TCP
                2025-02-25T09:17:37.121321+010020253811Malware Command and Control Activity Detected192.168.2.449756104.21.64.180TCP
                2025-02-25T09:17:39.019329+010020253811Malware Command and Control Activity Detected192.168.2.449758104.21.64.180TCP
                2025-02-25T09:17:41.092222+010020253811Malware Command and Control Activity Detected192.168.2.449761104.21.64.180TCP
                2025-02-25T09:17:43.090780+010020253811Malware Command and Control Activity Detected192.168.2.449762104.21.64.180TCP
                2025-02-25T09:17:46.046380+010020253811Malware Command and Control Activity Detected192.168.2.449763104.21.64.180TCP
                2025-02-25T09:17:48.103435+010020253811Malware Command and Control Activity Detected192.168.2.449764104.21.64.180TCP
                2025-02-25T09:17:50.028717+010020253811Malware Command and Control Activity Detected192.168.2.449765104.21.64.180TCP
                2025-02-25T09:17:51.979825+010020253811Malware Command and Control Activity Detected192.168.2.449767104.21.64.180TCP
                2025-02-25T09:17:53.775440+010020253811Malware Command and Control Activity Detected192.168.2.449769104.21.64.180TCP
                2025-02-25T09:17:55.776235+010020253811Malware Command and Control Activity Detected192.168.2.449770104.21.64.180TCP
                2025-02-25T09:17:57.767278+010020253811Malware Command and Control Activity Detected192.168.2.449771104.21.64.180TCP
                2025-02-25T09:17:59.573387+010020253811Malware Command and Control Activity Detected192.168.2.449772104.21.64.180TCP
                2025-02-25T09:18:01.728691+010020253811Malware Command and Control Activity Detected192.168.2.449774104.21.64.180TCP
                2025-02-25T09:18:03.646537+010020253811Malware Command and Control Activity Detected192.168.2.449776104.21.64.180TCP
                2025-02-25T09:18:05.542586+010020253811Malware Command and Control Activity Detected192.168.2.449787104.21.64.180TCP
                2025-02-25T09:18:07.522380+010020253811Malware Command and Control Activity Detected192.168.2.449803104.21.64.180TCP
                2025-02-25T09:18:09.660116+010020253811Malware Command and Control Activity Detected192.168.2.449814104.21.64.180TCP
                2025-02-25T09:18:11.604640+010020253811Malware Command and Control Activity Detected192.168.2.449830104.21.64.180TCP
                2025-02-25T09:18:13.726589+010020253811Malware Command and Control Activity Detected192.168.2.449846104.21.64.180TCP
                2025-02-25T09:18:15.689012+010020253811Malware Command and Control Activity Detected192.168.2.449856104.21.64.180TCP
                2025-02-25T09:18:17.596523+010020253811Malware Command and Control Activity Detected192.168.2.449869104.21.64.180TCP
                2025-02-25T09:18:19.646187+010020253811Malware Command and Control Activity Detected192.168.2.449882104.21.64.180TCP
                2025-02-25T09:18:21.446606+010020253811Malware Command and Control Activity Detected192.168.2.449896104.21.64.180TCP
                2025-02-25T09:18:23.387731+010020253811Malware Command and Control Activity Detected192.168.2.449909104.21.64.180TCP
                2025-02-25T09:18:25.169611+010020253811Malware Command and Control Activity Detected192.168.2.449923104.21.64.180TCP
                2025-02-25T09:18:26.965472+010020253811Malware Command and Control Activity Detected192.168.2.449936104.21.64.180TCP
                2025-02-25T09:18:28.918093+010020253811Malware Command and Control Activity Detected192.168.2.449950104.21.64.180TCP
                2025-02-25T09:18:30.841074+010020253811Malware Command and Control Activity Detected192.168.2.449963104.21.64.180TCP
                2025-02-25T09:18:32.714967+010020253811Malware Command and Control Activity Detected192.168.2.449977104.21.64.180TCP
                2025-02-25T09:18:34.586585+010020253811Malware Command and Control Activity Detected192.168.2.449990104.21.64.180TCP
                2025-02-25T09:18:36.381267+010020253811Malware Command and Control Activity Detected192.168.2.450003104.21.64.180TCP
                2025-02-25T09:18:38.273694+010020253811Malware Command and Control Activity Detected192.168.2.450016104.21.64.180TCP
                2025-02-25T09:18:40.195695+010020253811Malware Command and Control Activity Detected192.168.2.450030104.21.64.180TCP
                2025-02-25T09:18:42.119561+010020253811Malware Command and Control Activity Detected192.168.2.450044104.21.64.180TCP
                2025-02-25T09:18:44.134283+010020253811Malware Command and Control Activity Detected192.168.2.450058104.21.64.180TCP
                2025-02-25T09:18:46.045395+010020253811Malware Command and Control Activity Detected192.168.2.450062104.21.64.180TCP
                2025-02-25T09:18:47.863395+010020253811Malware Command and Control Activity Detected192.168.2.450063104.21.64.180TCP
                2025-02-25T09:18:49.840095+010020253811Malware Command and Control Activity Detected192.168.2.450064104.21.64.180TCP
                2025-02-25T09:18:51.791443+010020253811Malware Command and Control Activity Detected192.168.2.450065104.21.64.180TCP
                2025-02-25T09:18:53.744947+010020253811Malware Command and Control Activity Detected192.168.2.450066104.21.64.180TCP
                2025-02-25T09:18:55.523995+010020253811Malware Command and Control Activity Detected192.168.2.450067104.21.64.180TCP
                2025-02-25T09:18:57.450316+010020253811Malware Command and Control Activity Detected192.168.2.450068104.21.64.180TCP
                2025-02-25T09:18:59.368346+010020253811Malware Command and Control Activity Detected192.168.2.450069104.21.64.180TCP
                2025-02-25T09:19:01.242646+010020253811Malware Command and Control Activity Detected192.168.2.450070104.21.64.180TCP
                2025-02-25T09:19:03.181232+010020253811Malware Command and Control Activity Detected192.168.2.450071104.21.64.180TCP
                2025-02-25T09:19:05.088927+010020253811Malware Command and Control Activity Detected192.168.2.450072104.21.64.180TCP
                2025-02-25T09:19:07.023097+010020253811Malware Command and Control Activity Detected192.168.2.450073104.21.64.180TCP
                2025-02-25T09:19:08.806256+010020253811Malware Command and Control Activity Detected192.168.2.450074104.21.64.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-25T09:17:22.266479+010020254831A Network Trojan was detected104.21.64.180192.168.2.449740TCP
                2025-02-25T09:17:24.223568+010020254831A Network Trojan was detected104.21.64.180192.168.2.449745TCP
                2025-02-25T09:17:30.249632+010020254831A Network Trojan was detected104.21.64.180192.168.2.449752TCP
                2025-02-25T09:17:34.059858+010020254831A Network Trojan was detected104.21.64.180192.168.2.449754TCP
                2025-02-25T09:17:39.815627+010020254831A Network Trojan was detected104.21.64.180192.168.2.449758TCP
                2025-02-25T09:17:41.897606+010020254831A Network Trojan was detected104.21.64.180192.168.2.449761TCP
                2025-02-25T09:17:46.950831+010020254831A Network Trojan was detected104.21.64.180192.168.2.449763TCP
                2025-02-25T09:17:50.810648+010020254831A Network Trojan was detected104.21.64.180192.168.2.449765TCP
                2025-02-25T09:17:52.609405+010020254831A Network Trojan was detected104.21.64.180192.168.2.449767TCP
                2025-02-25T09:17:56.529848+010020254831A Network Trojan was detected104.21.64.180192.168.2.449770TCP
                2025-02-25T09:17:58.400308+010020254831A Network Trojan was detected104.21.64.180192.168.2.449771TCP
                2025-02-25T09:18:00.421115+010020254831A Network Trojan was detected104.21.64.180192.168.2.449772TCP
                2025-02-25T09:18:02.364827+010020254831A Network Trojan was detected104.21.64.180192.168.2.449774TCP
                2025-02-25T09:18:04.379667+010020254831A Network Trojan was detected104.21.64.180192.168.2.449776TCP
                2025-02-25T09:18:06.320072+010020254831A Network Trojan was detected104.21.64.180192.168.2.449787TCP
                2025-02-25T09:18:08.277524+010020254831A Network Trojan was detected104.21.64.180192.168.2.449803TCP
                2025-02-25T09:18:10.443426+010020254831A Network Trojan was detected104.21.64.180192.168.2.449814TCP
                2025-02-25T09:18:12.359272+010020254831A Network Trojan was detected104.21.64.180192.168.2.449830TCP
                2025-02-25T09:18:16.427053+010020254831A Network Trojan was detected104.21.64.180192.168.2.449856TCP
                2025-02-25T09:18:20.278079+010020254831A Network Trojan was detected104.21.64.180192.168.2.449882TCP
                2025-02-25T09:18:22.213201+010020254831A Network Trojan was detected104.21.64.180192.168.2.449896TCP
                2025-02-25T09:18:24.017514+010020254831A Network Trojan was detected104.21.64.180192.168.2.449909TCP
                2025-02-25T09:18:25.791819+010020254831A Network Trojan was detected104.21.64.180192.168.2.449923TCP
                2025-02-25T09:18:27.732246+010020254831A Network Trojan was detected104.21.64.180192.168.2.449936TCP
                2025-02-25T09:18:29.690332+010020254831A Network Trojan was detected104.21.64.180192.168.2.449950TCP
                2025-02-25T09:18:35.226104+010020254831A Network Trojan was detected104.21.64.180192.168.2.449990TCP
                2025-02-25T09:18:37.128364+010020254831A Network Trojan was detected104.21.64.180192.168.2.450003TCP
                2025-02-25T09:18:39.034190+010020254831A Network Trojan was detected104.21.64.180192.168.2.450016TCP
                2025-02-25T09:18:40.953115+010020254831A Network Trojan was detected104.21.64.180192.168.2.450030TCP
                2025-02-25T09:18:42.987357+010020254831A Network Trojan was detected104.21.64.180192.168.2.450044TCP
                2025-02-25T09:18:44.895041+010020254831A Network Trojan was detected104.21.64.180192.168.2.450058TCP
                2025-02-25T09:18:46.667165+010020254831A Network Trojan was detected104.21.64.180192.168.2.450062TCP
                2025-02-25T09:18:48.655562+010020254831A Network Trojan was detected104.21.64.180192.168.2.450063TCP
                2025-02-25T09:18:50.629842+010020254831A Network Trojan was detected104.21.64.180192.168.2.450064TCP
                2025-02-25T09:18:52.584773+010020254831A Network Trojan was detected104.21.64.180192.168.2.450065TCP
                2025-02-25T09:18:54.369256+010020254831A Network Trojan was detected104.21.64.180192.168.2.450066TCP
                2025-02-25T09:18:56.297683+010020254831A Network Trojan was detected104.21.64.180192.168.2.450067TCP
                2025-02-25T09:19:02.007983+010020254831A Network Trojan was detected104.21.64.180192.168.2.450070TCP
                2025-02-25T09:19:03.934482+010020254831A Network Trojan was detected104.21.64.180192.168.2.450071TCP
                2025-02-25T09:19:05.853496+010020254831A Network Trojan was detected104.21.64.180192.168.2.450072TCP
                2025-02-25T09:19:07.641817+010020254831A Network Trojan was detected104.21.64.180192.168.2.450073TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-25T09:17:22.261363+010020243131Malware Command and Control Activity Detected192.168.2.449740104.21.64.180TCP
                2025-02-25T09:17:24.211701+010020243131Malware Command and Control Activity Detected192.168.2.449745104.21.64.180TCP
                2025-02-25T09:17:26.250025+010020243131Malware Command and Control Activity Detected192.168.2.449749104.21.64.180TCP
                2025-02-25T09:17:28.299249+010020243131Malware Command and Control Activity Detected192.168.2.449751104.21.64.180TCP
                2025-02-25T09:17:30.244395+010020243131Malware Command and Control Activity Detected192.168.2.449752104.21.64.180TCP
                2025-02-25T09:17:32.144534+010020243131Malware Command and Control Activity Detected192.168.2.449753104.21.64.180TCP
                2025-02-25T09:17:34.052359+010020243131Malware Command and Control Activity Detected192.168.2.449754104.21.64.180TCP
                2025-02-25T09:17:35.953618+010020243131Malware Command and Control Activity Detected192.168.2.449755104.21.64.180TCP
                2025-02-25T09:17:37.842579+010020243131Malware Command and Control Activity Detected192.168.2.449756104.21.64.180TCP
                2025-02-25T09:17:39.809947+010020243131Malware Command and Control Activity Detected192.168.2.449758104.21.64.180TCP
                2025-02-25T09:17:41.892393+010020243131Malware Command and Control Activity Detected192.168.2.449761104.21.64.180TCP
                2025-02-25T09:17:44.821199+010020243131Malware Command and Control Activity Detected192.168.2.449762104.21.64.180TCP
                2025-02-25T09:17:46.945675+010020243131Malware Command and Control Activity Detected192.168.2.449763104.21.64.180TCP
                2025-02-25T09:17:48.814092+010020243131Malware Command and Control Activity Detected192.168.2.449764104.21.64.180TCP
                2025-02-25T09:17:50.804475+010020243131Malware Command and Control Activity Detected192.168.2.449765104.21.64.180TCP
                2025-02-25T09:17:52.604381+010020243131Malware Command and Control Activity Detected192.168.2.449767104.21.64.180TCP
                2025-02-25T09:17:54.495346+010020243131Malware Command and Control Activity Detected192.168.2.449769104.21.64.180TCP
                2025-02-25T09:17:56.524683+010020243131Malware Command and Control Activity Detected192.168.2.449770104.21.64.180TCP
                2025-02-25T09:17:58.395174+010020243131Malware Command and Control Activity Detected192.168.2.449771104.21.64.180TCP
                2025-02-25T09:18:00.413951+010020243131Malware Command and Control Activity Detected192.168.2.449772104.21.64.180TCP
                2025-02-25T09:18:02.359640+010020243131Malware Command and Control Activity Detected192.168.2.449774104.21.64.180TCP
                2025-02-25T09:18:04.374561+010020243131Malware Command and Control Activity Detected192.168.2.449776104.21.64.180TCP
                2025-02-25T09:18:06.309282+010020243131Malware Command and Control Activity Detected192.168.2.449787104.21.64.180TCP
                2025-02-25T09:18:08.271460+010020243131Malware Command and Control Activity Detected192.168.2.449803104.21.64.180TCP
                2025-02-25T09:18:10.438324+010020243131Malware Command and Control Activity Detected192.168.2.449814104.21.64.180TCP
                2025-02-25T09:18:12.353775+010020243131Malware Command and Control Activity Detected192.168.2.449830104.21.64.180TCP
                2025-02-25T09:18:14.437609+010020243131Malware Command and Control Activity Detected192.168.2.449846104.21.64.180TCP
                2025-02-25T09:18:16.418650+010020243131Malware Command and Control Activity Detected192.168.2.449856104.21.64.180TCP
                2025-02-25T09:18:18.301298+010020243131Malware Command and Control Activity Detected192.168.2.449869104.21.64.180TCP
                2025-02-25T09:18:20.272824+010020243131Malware Command and Control Activity Detected192.168.2.449882104.21.64.180TCP
                2025-02-25T09:18:22.208102+010020243131Malware Command and Control Activity Detected192.168.2.449896104.21.64.180TCP
                2025-02-25T09:18:24.012282+010020243131Malware Command and Control Activity Detected192.168.2.449909104.21.64.180TCP
                2025-02-25T09:18:25.780919+010020243131Malware Command and Control Activity Detected192.168.2.449923104.21.64.180TCP
                2025-02-25T09:18:27.727236+010020243131Malware Command and Control Activity Detected192.168.2.449936104.21.64.180TCP
                2025-02-25T09:18:29.682184+010020243131Malware Command and Control Activity Detected192.168.2.449950104.21.64.180TCP
                2025-02-25T09:18:31.550205+010020243131Malware Command and Control Activity Detected192.168.2.449963104.21.64.180TCP
                2025-02-25T09:18:33.436425+010020243131Malware Command and Control Activity Detected192.168.2.449977104.21.64.180TCP
                2025-02-25T09:18:35.221011+010020243131Malware Command and Control Activity Detected192.168.2.449990104.21.64.180TCP
                2025-02-25T09:18:37.122959+010020243131Malware Command and Control Activity Detected192.168.2.450003104.21.64.180TCP
                2025-02-25T09:18:39.028792+010020243131Malware Command and Control Activity Detected192.168.2.450016104.21.64.180TCP
                2025-02-25T09:18:40.948112+010020243131Malware Command and Control Activity Detected192.168.2.450030104.21.64.180TCP
                2025-02-25T09:18:42.982252+010020243131Malware Command and Control Activity Detected192.168.2.450044104.21.64.180TCP
                2025-02-25T09:18:44.889929+010020243131Malware Command and Control Activity Detected192.168.2.450058104.21.64.180TCP
                2025-02-25T09:18:46.662087+010020243131Malware Command and Control Activity Detected192.168.2.450062104.21.64.180TCP
                2025-02-25T09:18:48.650449+010020243131Malware Command and Control Activity Detected192.168.2.450063104.21.64.180TCP
                2025-02-25T09:18:50.624662+010020243131Malware Command and Control Activity Detected192.168.2.450064104.21.64.180TCP
                2025-02-25T09:18:52.579635+010020243131Malware Command and Control Activity Detected192.168.2.450065104.21.64.180TCP
                2025-02-25T09:18:54.363302+010020243131Malware Command and Control Activity Detected192.168.2.450066104.21.64.180TCP
                2025-02-25T09:18:56.292022+010020243131Malware Command and Control Activity Detected192.168.2.450067104.21.64.180TCP
                2025-02-25T09:18:58.194917+010020243131Malware Command and Control Activity Detected192.168.2.450068104.21.64.180TCP
                2025-02-25T09:19:00.086430+010020243131Malware Command and Control Activity Detected192.168.2.450069104.21.64.180TCP
                2025-02-25T09:19:02.002273+010020243131Malware Command and Control Activity Detected192.168.2.450070104.21.64.180TCP
                2025-02-25T09:19:03.928548+010020243131Malware Command and Control Activity Detected192.168.2.450071104.21.64.180TCP
                2025-02-25T09:19:05.848456+010020243131Malware Command and Control Activity Detected192.168.2.450072104.21.64.180TCP
                2025-02-25T09:19:07.635639+010020243131Malware Command and Control Activity Detected192.168.2.450073104.21.64.180TCP
                2025-02-25T09:19:09.535222+010020243131Malware Command and Control Activity Detected192.168.2.450074104.21.64.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-25T09:17:22.261363+010020243181Malware Command and Control Activity Detected192.168.2.449740104.21.64.180TCP
                2025-02-25T09:17:24.211701+010020243181Malware Command and Control Activity Detected192.168.2.449745104.21.64.180TCP
                2025-02-25T09:17:26.250025+010020243181Malware Command and Control Activity Detected192.168.2.449749104.21.64.180TCP
                2025-02-25T09:17:28.299249+010020243181Malware Command and Control Activity Detected192.168.2.449751104.21.64.180TCP
                2025-02-25T09:17:30.244395+010020243181Malware Command and Control Activity Detected192.168.2.449752104.21.64.180TCP
                2025-02-25T09:17:32.144534+010020243181Malware Command and Control Activity Detected192.168.2.449753104.21.64.180TCP
                2025-02-25T09:17:34.052359+010020243181Malware Command and Control Activity Detected192.168.2.449754104.21.64.180TCP
                2025-02-25T09:17:35.953618+010020243181Malware Command and Control Activity Detected192.168.2.449755104.21.64.180TCP
                2025-02-25T09:17:37.842579+010020243181Malware Command and Control Activity Detected192.168.2.449756104.21.64.180TCP
                2025-02-25T09:17:39.809947+010020243181Malware Command and Control Activity Detected192.168.2.449758104.21.64.180TCP
                2025-02-25T09:17:41.892393+010020243181Malware Command and Control Activity Detected192.168.2.449761104.21.64.180TCP
                2025-02-25T09:17:44.821199+010020243181Malware Command and Control Activity Detected192.168.2.449762104.21.64.180TCP
                2025-02-25T09:17:46.945675+010020243181Malware Command and Control Activity Detected192.168.2.449763104.21.64.180TCP
                2025-02-25T09:17:48.814092+010020243181Malware Command and Control Activity Detected192.168.2.449764104.21.64.180TCP
                2025-02-25T09:17:50.804475+010020243181Malware Command and Control Activity Detected192.168.2.449765104.21.64.180TCP
                2025-02-25T09:17:52.604381+010020243181Malware Command and Control Activity Detected192.168.2.449767104.21.64.180TCP
                2025-02-25T09:17:54.495346+010020243181Malware Command and Control Activity Detected192.168.2.449769104.21.64.180TCP
                2025-02-25T09:17:56.524683+010020243181Malware Command and Control Activity Detected192.168.2.449770104.21.64.180TCP
                2025-02-25T09:17:58.395174+010020243181Malware Command and Control Activity Detected192.168.2.449771104.21.64.180TCP
                2025-02-25T09:18:00.413951+010020243181Malware Command and Control Activity Detected192.168.2.449772104.21.64.180TCP
                2025-02-25T09:18:02.359640+010020243181Malware Command and Control Activity Detected192.168.2.449774104.21.64.180TCP
                2025-02-25T09:18:04.374561+010020243181Malware Command and Control Activity Detected192.168.2.449776104.21.64.180TCP
                2025-02-25T09:18:06.309282+010020243181Malware Command and Control Activity Detected192.168.2.449787104.21.64.180TCP
                2025-02-25T09:18:08.271460+010020243181Malware Command and Control Activity Detected192.168.2.449803104.21.64.180TCP
                2025-02-25T09:18:10.438324+010020243181Malware Command and Control Activity Detected192.168.2.449814104.21.64.180TCP
                2025-02-25T09:18:12.353775+010020243181Malware Command and Control Activity Detected192.168.2.449830104.21.64.180TCP
                2025-02-25T09:18:14.437609+010020243181Malware Command and Control Activity Detected192.168.2.449846104.21.64.180TCP
                2025-02-25T09:18:16.418650+010020243181Malware Command and Control Activity Detected192.168.2.449856104.21.64.180TCP
                2025-02-25T09:18:18.301298+010020243181Malware Command and Control Activity Detected192.168.2.449869104.21.64.180TCP
                2025-02-25T09:18:20.272824+010020243181Malware Command and Control Activity Detected192.168.2.449882104.21.64.180TCP
                2025-02-25T09:18:22.208102+010020243181Malware Command and Control Activity Detected192.168.2.449896104.21.64.180TCP
                2025-02-25T09:18:24.012282+010020243181Malware Command and Control Activity Detected192.168.2.449909104.21.64.180TCP
                2025-02-25T09:18:25.780919+010020243181Malware Command and Control Activity Detected192.168.2.449923104.21.64.180TCP
                2025-02-25T09:18:27.727236+010020243181Malware Command and Control Activity Detected192.168.2.449936104.21.64.180TCP
                2025-02-25T09:18:29.682184+010020243181Malware Command and Control Activity Detected192.168.2.449950104.21.64.180TCP
                2025-02-25T09:18:31.550205+010020243181Malware Command and Control Activity Detected192.168.2.449963104.21.64.180TCP
                2025-02-25T09:18:33.436425+010020243181Malware Command and Control Activity Detected192.168.2.449977104.21.64.180TCP
                2025-02-25T09:18:35.221011+010020243181Malware Command and Control Activity Detected192.168.2.449990104.21.64.180TCP
                2025-02-25T09:18:37.122959+010020243181Malware Command and Control Activity Detected192.168.2.450003104.21.64.180TCP
                2025-02-25T09:18:39.028792+010020243181Malware Command and Control Activity Detected192.168.2.450016104.21.64.180TCP
                2025-02-25T09:18:40.948112+010020243181Malware Command and Control Activity Detected192.168.2.450030104.21.64.180TCP
                2025-02-25T09:18:42.982252+010020243181Malware Command and Control Activity Detected192.168.2.450044104.21.64.180TCP
                2025-02-25T09:18:44.889929+010020243181Malware Command and Control Activity Detected192.168.2.450058104.21.64.180TCP
                2025-02-25T09:18:46.662087+010020243181Malware Command and Control Activity Detected192.168.2.450062104.21.64.180TCP
                2025-02-25T09:18:48.650449+010020243181Malware Command and Control Activity Detected192.168.2.450063104.21.64.180TCP
                2025-02-25T09:18:50.624662+010020243181Malware Command and Control Activity Detected192.168.2.450064104.21.64.180TCP
                2025-02-25T09:18:52.579635+010020243181Malware Command and Control Activity Detected192.168.2.450065104.21.64.180TCP
                2025-02-25T09:18:54.363302+010020243181Malware Command and Control Activity Detected192.168.2.450066104.21.64.180TCP
                2025-02-25T09:18:56.292022+010020243181Malware Command and Control Activity Detected192.168.2.450067104.21.64.180TCP
                2025-02-25T09:18:58.194917+010020243181Malware Command and Control Activity Detected192.168.2.450068104.21.64.180TCP
                2025-02-25T09:19:00.086430+010020243181Malware Command and Control Activity Detected192.168.2.450069104.21.64.180TCP
                2025-02-25T09:19:02.002273+010020243181Malware Command and Control Activity Detected192.168.2.450070104.21.64.180TCP
                2025-02-25T09:19:03.928548+010020243181Malware Command and Control Activity Detected192.168.2.450071104.21.64.180TCP
                2025-02-25T09:19:05.848456+010020243181Malware Command and Control Activity Detected192.168.2.450072104.21.64.180TCP
                2025-02-25T09:19:07.635639+010020243181Malware Command and Control Activity Detected192.168.2.450073104.21.64.180TCP
                2025-02-25T09:19:09.535222+010020243181Malware Command and Control Activity Detected192.168.2.450074104.21.64.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-25T09:17:18.389075+010020216411A Network Trojan was detected192.168.2.449738104.21.64.180TCP
                2025-02-25T09:17:20.344240+010020216411A Network Trojan was detected192.168.2.449739104.21.64.180TCP
                2025-02-25T09:17:21.481999+010020216411A Network Trojan was detected192.168.2.449740104.21.64.180TCP
                2025-02-25T09:17:23.453334+010020216411A Network Trojan was detected192.168.2.449745104.21.64.180TCP
                2025-02-25T09:17:25.530952+010020216411A Network Trojan was detected192.168.2.449749104.21.64.180TCP
                2025-02-25T09:17:27.569756+010020216411A Network Trojan was detected192.168.2.449751104.21.64.180TCP
                2025-02-25T09:17:29.486072+010020216411A Network Trojan was detected192.168.2.449752104.21.64.180TCP
                2025-02-25T09:17:31.422868+010020216411A Network Trojan was detected192.168.2.449753104.21.64.180TCP
                2025-02-25T09:17:33.307597+010020216411A Network Trojan was detected192.168.2.449754104.21.64.180TCP
                2025-02-25T09:17:35.229716+010020216411A Network Trojan was detected192.168.2.449755104.21.64.180TCP
                2025-02-25T09:17:37.121321+010020216411A Network Trojan was detected192.168.2.449756104.21.64.180TCP
                2025-02-25T09:17:39.019329+010020216411A Network Trojan was detected192.168.2.449758104.21.64.180TCP
                2025-02-25T09:17:41.092222+010020216411A Network Trojan was detected192.168.2.449761104.21.64.180TCP
                2025-02-25T09:17:43.090780+010020216411A Network Trojan was detected192.168.2.449762104.21.64.180TCP
                2025-02-25T09:17:46.046380+010020216411A Network Trojan was detected192.168.2.449763104.21.64.180TCP
                2025-02-25T09:17:48.103435+010020216411A Network Trojan was detected192.168.2.449764104.21.64.180TCP
                2025-02-25T09:17:50.028717+010020216411A Network Trojan was detected192.168.2.449765104.21.64.180TCP
                2025-02-25T09:17:51.979825+010020216411A Network Trojan was detected192.168.2.449767104.21.64.180TCP
                2025-02-25T09:17:53.775440+010020216411A Network Trojan was detected192.168.2.449769104.21.64.180TCP
                2025-02-25T09:17:55.776235+010020216411A Network Trojan was detected192.168.2.449770104.21.64.180TCP
                2025-02-25T09:17:57.767278+010020216411A Network Trojan was detected192.168.2.449771104.21.64.180TCP
                2025-02-25T09:17:59.573387+010020216411A Network Trojan was detected192.168.2.449772104.21.64.180TCP
                2025-02-25T09:18:01.728691+010020216411A Network Trojan was detected192.168.2.449774104.21.64.180TCP
                2025-02-25T09:18:03.646537+010020216411A Network Trojan was detected192.168.2.449776104.21.64.180TCP
                2025-02-25T09:18:05.542586+010020216411A Network Trojan was detected192.168.2.449787104.21.64.180TCP
                2025-02-25T09:18:07.522380+010020216411A Network Trojan was detected192.168.2.449803104.21.64.180TCP
                2025-02-25T09:18:09.660116+010020216411A Network Trojan was detected192.168.2.449814104.21.64.180TCP
                2025-02-25T09:18:11.604640+010020216411A Network Trojan was detected192.168.2.449830104.21.64.180TCP
                2025-02-25T09:18:13.726589+010020216411A Network Trojan was detected192.168.2.449846104.21.64.180TCP
                2025-02-25T09:18:15.689012+010020216411A Network Trojan was detected192.168.2.449856104.21.64.180TCP
                2025-02-25T09:18:17.596523+010020216411A Network Trojan was detected192.168.2.449869104.21.64.180TCP
                2025-02-25T09:18:19.646187+010020216411A Network Trojan was detected192.168.2.449882104.21.64.180TCP
                2025-02-25T09:18:21.446606+010020216411A Network Trojan was detected192.168.2.449896104.21.64.180TCP
                2025-02-25T09:18:23.387731+010020216411A Network Trojan was detected192.168.2.449909104.21.64.180TCP
                2025-02-25T09:18:25.169611+010020216411A Network Trojan was detected192.168.2.449923104.21.64.180TCP
                2025-02-25T09:18:26.965472+010020216411A Network Trojan was detected192.168.2.449936104.21.64.180TCP
                2025-02-25T09:18:28.918093+010020216411A Network Trojan was detected192.168.2.449950104.21.64.180TCP
                2025-02-25T09:18:30.841074+010020216411A Network Trojan was detected192.168.2.449963104.21.64.180TCP
                2025-02-25T09:18:32.714967+010020216411A Network Trojan was detected192.168.2.449977104.21.64.180TCP
                2025-02-25T09:18:34.586585+010020216411A Network Trojan was detected192.168.2.449990104.21.64.180TCP
                2025-02-25T09:18:36.381267+010020216411A Network Trojan was detected192.168.2.450003104.21.64.180TCP
                2025-02-25T09:18:38.273694+010020216411A Network Trojan was detected192.168.2.450016104.21.64.180TCP
                2025-02-25T09:18:40.195695+010020216411A Network Trojan was detected192.168.2.450030104.21.64.180TCP
                2025-02-25T09:18:42.119561+010020216411A Network Trojan was detected192.168.2.450044104.21.64.180TCP
                2025-02-25T09:18:44.134283+010020216411A Network Trojan was detected192.168.2.450058104.21.64.180TCP
                2025-02-25T09:18:46.045395+010020216411A Network Trojan was detected192.168.2.450062104.21.64.180TCP
                2025-02-25T09:18:47.863395+010020216411A Network Trojan was detected192.168.2.450063104.21.64.180TCP
                2025-02-25T09:18:49.840095+010020216411A Network Trojan was detected192.168.2.450064104.21.64.180TCP
                2025-02-25T09:18:51.791443+010020216411A Network Trojan was detected192.168.2.450065104.21.64.180TCP
                2025-02-25T09:18:53.744947+010020216411A Network Trojan was detected192.168.2.450066104.21.64.180TCP
                2025-02-25T09:18:55.523995+010020216411A Network Trojan was detected192.168.2.450067104.21.64.180TCP
                2025-02-25T09:18:57.450316+010020216411A Network Trojan was detected192.168.2.450068104.21.64.180TCP
                2025-02-25T09:18:59.368346+010020216411A Network Trojan was detected192.168.2.450069104.21.64.180TCP
                2025-02-25T09:19:01.242646+010020216411A Network Trojan was detected192.168.2.450070104.21.64.180TCP
                2025-02-25T09:19:03.181232+010020216411A Network Trojan was detected192.168.2.450071104.21.64.180TCP
                2025-02-25T09:19:05.088927+010020216411A Network Trojan was detected192.168.2.450072104.21.64.180TCP
                2025-02-25T09:19:07.023097+010020216411A Network Trojan was detected192.168.2.450073104.21.64.180TCP
                2025-02-25T09:19:08.806256+010020216411A Network Trojan was detected192.168.2.450074104.21.64.180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-25T09:17:18.389075+010028257661Malware Command and Control Activity Detected192.168.2.449738104.21.64.180TCP
                2025-02-25T09:17:20.344240+010028257661Malware Command and Control Activity Detected192.168.2.449739104.21.64.180TCP
                2025-02-25T09:17:21.481999+010028257661Malware Command and Control Activity Detected192.168.2.449740104.21.64.180TCP
                2025-02-25T09:17:23.453334+010028257661Malware Command and Control Activity Detected192.168.2.449745104.21.64.180TCP
                2025-02-25T09:17:25.530952+010028257661Malware Command and Control Activity Detected192.168.2.449749104.21.64.180TCP
                2025-02-25T09:17:27.569756+010028257661Malware Command and Control Activity Detected192.168.2.449751104.21.64.180TCP
                2025-02-25T09:17:29.486072+010028257661Malware Command and Control Activity Detected192.168.2.449752104.21.64.180TCP
                2025-02-25T09:17:31.422868+010028257661Malware Command and Control Activity Detected192.168.2.449753104.21.64.180TCP
                2025-02-25T09:17:33.307597+010028257661Malware Command and Control Activity Detected192.168.2.449754104.21.64.180TCP
                2025-02-25T09:17:35.229716+010028257661Malware Command and Control Activity Detected192.168.2.449755104.21.64.180TCP
                2025-02-25T09:17:37.121321+010028257661Malware Command and Control Activity Detected192.168.2.449756104.21.64.180TCP
                2025-02-25T09:17:39.019329+010028257661Malware Command and Control Activity Detected192.168.2.449758104.21.64.180TCP
                2025-02-25T09:17:41.092222+010028257661Malware Command and Control Activity Detected192.168.2.449761104.21.64.180TCP
                2025-02-25T09:17:43.090780+010028257661Malware Command and Control Activity Detected192.168.2.449762104.21.64.180TCP
                2025-02-25T09:17:46.046380+010028257661Malware Command and Control Activity Detected192.168.2.449763104.21.64.180TCP
                2025-02-25T09:17:48.103435+010028257661Malware Command and Control Activity Detected192.168.2.449764104.21.64.180TCP
                2025-02-25T09:17:50.028717+010028257661Malware Command and Control Activity Detected192.168.2.449765104.21.64.180TCP
                2025-02-25T09:17:51.979825+010028257661Malware Command and Control Activity Detected192.168.2.449767104.21.64.180TCP
                2025-02-25T09:17:53.775440+010028257661Malware Command and Control Activity Detected192.168.2.449769104.21.64.180TCP
                2025-02-25T09:17:55.776235+010028257661Malware Command and Control Activity Detected192.168.2.449770104.21.64.180TCP
                2025-02-25T09:17:57.767278+010028257661Malware Command and Control Activity Detected192.168.2.449771104.21.64.180TCP
                2025-02-25T09:17:59.573387+010028257661Malware Command and Control Activity Detected192.168.2.449772104.21.64.180TCP
                2025-02-25T09:18:01.728691+010028257661Malware Command and Control Activity Detected192.168.2.449774104.21.64.180TCP
                2025-02-25T09:18:03.646537+010028257661Malware Command and Control Activity Detected192.168.2.449776104.21.64.180TCP
                2025-02-25T09:18:05.542586+010028257661Malware Command and Control Activity Detected192.168.2.449787104.21.64.180TCP
                2025-02-25T09:18:07.522380+010028257661Malware Command and Control Activity Detected192.168.2.449803104.21.64.180TCP
                2025-02-25T09:18:09.660116+010028257661Malware Command and Control Activity Detected192.168.2.449814104.21.64.180TCP
                2025-02-25T09:18:11.604640+010028257661Malware Command and Control Activity Detected192.168.2.449830104.21.64.180TCP
                2025-02-25T09:18:13.726589+010028257661Malware Command and Control Activity Detected192.168.2.449846104.21.64.180TCP
                2025-02-25T09:18:15.689012+010028257661Malware Command and Control Activity Detected192.168.2.449856104.21.64.180TCP
                2025-02-25T09:18:17.596523+010028257661Malware Command and Control Activity Detected192.168.2.449869104.21.64.180TCP
                2025-02-25T09:18:19.646187+010028257661Malware Command and Control Activity Detected192.168.2.449882104.21.64.180TCP
                2025-02-25T09:18:21.446606+010028257661Malware Command and Control Activity Detected192.168.2.449896104.21.64.180TCP
                2025-02-25T09:18:23.387731+010028257661Malware Command and Control Activity Detected192.168.2.449909104.21.64.180TCP
                2025-02-25T09:18:25.169611+010028257661Malware Command and Control Activity Detected192.168.2.449923104.21.64.180TCP
                2025-02-25T09:18:26.965472+010028257661Malware Command and Control Activity Detected192.168.2.449936104.21.64.180TCP
                2025-02-25T09:18:28.918093+010028257661Malware Command and Control Activity Detected192.168.2.449950104.21.64.180TCP
                2025-02-25T09:18:30.841074+010028257661Malware Command and Control Activity Detected192.168.2.449963104.21.64.180TCP
                2025-02-25T09:18:32.714967+010028257661Malware Command and Control Activity Detected192.168.2.449977104.21.64.180TCP
                2025-02-25T09:18:34.586585+010028257661Malware Command and Control Activity Detected192.168.2.449990104.21.64.180TCP
                2025-02-25T09:18:36.381267+010028257661Malware Command and Control Activity Detected192.168.2.450003104.21.64.180TCP
                2025-02-25T09:18:38.273694+010028257661Malware Command and Control Activity Detected192.168.2.450016104.21.64.180TCP
                2025-02-25T09:18:40.195695+010028257661Malware Command and Control Activity Detected192.168.2.450030104.21.64.180TCP
                2025-02-25T09:18:42.119561+010028257661Malware Command and Control Activity Detected192.168.2.450044104.21.64.180TCP
                2025-02-25T09:18:44.134283+010028257661Malware Command and Control Activity Detected192.168.2.450058104.21.64.180TCP
                2025-02-25T09:18:46.045395+010028257661Malware Command and Control Activity Detected192.168.2.450062104.21.64.180TCP
                2025-02-25T09:18:47.863395+010028257661Malware Command and Control Activity Detected192.168.2.450063104.21.64.180TCP
                2025-02-25T09:18:49.840095+010028257661Malware Command and Control Activity Detected192.168.2.450064104.21.64.180TCP
                2025-02-25T09:18:51.791443+010028257661Malware Command and Control Activity Detected192.168.2.450065104.21.64.180TCP
                2025-02-25T09:18:53.744947+010028257661Malware Command and Control Activity Detected192.168.2.450066104.21.64.180TCP
                2025-02-25T09:18:55.523995+010028257661Malware Command and Control Activity Detected192.168.2.450067104.21.64.180TCP
                2025-02-25T09:18:57.450316+010028257661Malware Command and Control Activity Detected192.168.2.450068104.21.64.180TCP
                2025-02-25T09:18:59.368346+010028257661Malware Command and Control Activity Detected192.168.2.450069104.21.64.180TCP
                2025-02-25T09:19:01.242646+010028257661Malware Command and Control Activity Detected192.168.2.450070104.21.64.180TCP
                2025-02-25T09:19:03.181232+010028257661Malware Command and Control Activity Detected192.168.2.450071104.21.64.180TCP
                2025-02-25T09:19:05.088927+010028257661Malware Command and Control Activity Detected192.168.2.450072104.21.64.180TCP
                2025-02-25T09:19:07.023097+010028257661Malware Command and Control Activity Detected192.168.2.450073104.21.64.180TCP
                2025-02-25T09:19:08.806256+010028257661Malware Command and Control Activity Detected192.168.2.450074104.21.64.180TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://touxzw.ir/sss2/five/fre.phpAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeReversingLabs: Detection: 26%
                Multi AV Scanner detection for submitted file
                Source: 7RryusxiMtHBz80.exeVirustotal: Detection: 31%Perma Link
                Source: 7RryusxiMtHBz80.exeReversingLabs: Detection: 26%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                Source: 7RryusxiMtHBz80.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 7RryusxiMtHBz80.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Windows.Forms.pdbH source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175581299.0000000006021000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Accessibility.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.ni.pdbRSDS source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblicy source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb9 source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: RegSvcs.pdb, source: VKLIKWXJXPZTHN.exe, 00000015.00000000.1784975928.0000000000782000.00000002.00000001.01000000.0000000D.sdmp, VKLIKWXJXPZTHN.exe.10.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: tc.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2154325872.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbw source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005F90000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: VKLIKWXJXPZTHN.exe, 00000015.00000000.1784975928.0000000000782000.00000002.00000001.01000000.0000000D.sdmp, VKLIKWXJXPZTHN.exe.10.dr
                Source: Binary string: System.Configuration.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: PwJ.pdbSHA256 source: 7RryusxiMtHBz80.exe, 00000000.00000002.1760076383.0000000004678000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1807575185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zkqXnJkrWmp.exe, 0000000B.00000002.2171131364.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp, WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Core.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.pdbD source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Windows.Forms.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: HP9nLC:\Windows\Microsoft.VisualBasic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2154325872.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp, WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\dll\System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005F90000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005F90000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: PwJ.pdb source: 7RryusxiMtHBz80.exe, 00000000.00000002.1760076383.0000000004678000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1807575185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zkqXnJkrWmp.exe, 0000000B.00000002.2171131364.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb" source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER4A47.tmp.dmp.29.dr
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,22_2_00403D74
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 4x nop then jmp 03440C7Fh0_2_03440386

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49753 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49765 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49753 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49765 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49753 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49740 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49765 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49749 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49740 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49740 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49749 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49758 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49761 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49761 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49761 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49749 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49745 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49758 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49745 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49758 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49745 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49771 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49738 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49771 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49739 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49771 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49787 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49738 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49787 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49755 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49758 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49765 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49764 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49755 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49740 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49787 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49758 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49739 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49771 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49771 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49754 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49738 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49739 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49787 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49749 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49787 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49764 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49764 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49749 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49739 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49738 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49761 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49764 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49764 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49752 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49752 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49752 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49761 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49765 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49755 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49814 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49814 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49814 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49752 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49752 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49740 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49755 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49755 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49753 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49753 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49758
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49814 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49751 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49751 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49814 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49745 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49751 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49745 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49751 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49751 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49756 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49756 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49756 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49787
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49763 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49763 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49776 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49776 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49769 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49763 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49846 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49846 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49846 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49776 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49846 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49763 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49776 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49763 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49776 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49756 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49756 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49856 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49856 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49856 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49769 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49769 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49769 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49769 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49856 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49856 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49846 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49740
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49869 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49869 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49869 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49869 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49869 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49761
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49752
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49762 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49762 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49762 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49762 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49762 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49856
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49763
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49896 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49754
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49896 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49896 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49765
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49830 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49830 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49830 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49776
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49896 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49896 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49882 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49882 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49830 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49830 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49882 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49767 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49882 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49772 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49772 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49772 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49882 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49767 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49814
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49767 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49772 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49772 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49936 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49767 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49936 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49936 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49977 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49771
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49977 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49767 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49774 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49774 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49774 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49830
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49774 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49774 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49772
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49745
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49977 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49936 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49977 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49936 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49963 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49896
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49977 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49950 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49950 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49950 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49950 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49963 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49950 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49963 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49803 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49963 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49803 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49963 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50003 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49803 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49803 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49803 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49882
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50044 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50016 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49770 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49770 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50044 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49770 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49950
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49767
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50016 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50016 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50044 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49923 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49923 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50044 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50044 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49923 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50016 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50016 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49770 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50062 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50063 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50030 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50063 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49770 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50065 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50065 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50065 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50030 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50030 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49923 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49923 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49803
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50074 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50063 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50065 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50065 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50058 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50003 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50058 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50003 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50030 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50030 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50074 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50072 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50074 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50072 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50072 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50003 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50003 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50072 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50072 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50074 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50074 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50063 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50058 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50063 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50058 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50058 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50016
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49770
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50066 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50066 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50066 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49923
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50066 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50066 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50070 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50070 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50069 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50069 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50069 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50030
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50069 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50065
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50069 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50068 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49909 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50068 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50062 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50068 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49909 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49936
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49909 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50062 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50068 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50068 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49909 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49909 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50066
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50070 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50071 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50071 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50071 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50070 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50063
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50062 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50071 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50070 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50062 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50071 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50058
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49774
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50072
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50044
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49909
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50070
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50071
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50003
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50073 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50073 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50073 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50073 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50073 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49990 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49990 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49990 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49990 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49990 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50064 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50064 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:50067 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50062
                Source: Network trafficSuricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:50067 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50064 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:50067 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50067 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:50064 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50067 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:50064 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50073
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:49990
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50067
                Source: Network trafficSuricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.64.1:80 -> 192.168.2.4:50064
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 176Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 176Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: global trafficHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 149Connection: close
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_00404ED4 recv,22_2_00404ED4
                Source: global trafficDNS traffic detected: DNS query: touxzw.ir
                Source: unknownHTTP traffic detected: POST /sss2/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: touxzw.irAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 35FF22E8Content-Length: 176Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B8mBhpZufpPA8BC0cq5HStlW4yuI%2BM1tdjZ9utza%2FP5658rKdm7tWE0Ihhez9xw6HXBWC6i4jcvwQRT0gxv%2Bh4tMg1JznxprXkRnn3RraSpRU807CjW7fYeiz3U%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176421c5dafde9b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1552&rtt_var=776&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=415&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pY72tM0a8lnT%2FhURqAS7VWBO5%2FicqlVbhBVqCHjTzFVUrxEOfiNQqEyivyGBGlqlGdIv2ymM9BPm9ZC%2FwjnuEVGu4a1MfjsCr9Qo4oOx%2Bg3YFKc5Io15%2FLCx%2B4I%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917642289a397c87-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2007&min_rtt=2007&rtt_var=1003&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=415&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SEDnesX4iAtt4ms%2BXIt8kLYmC%2FpyAwDQILOMHxmBNR3Ms4artVtBbfIs%2FqnRuPgFTpOPgOM9ZYR6RlMtF3mOtJHn4JIiN0Z4U0e9c51AIZu0FSFazcxFzbgOXmo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176422fb84d43f4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1669&rtt_var=834&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G%2Frl9N42Qadmrjb6bT6CY%2B6H%2FEwkibFjK2EZNUpX6%2FLFpgfcOwikObFZLFlP%2Bb2WINl5RmVBsH55wNPLYsiXmfisfy2qbo9lX%2Bi11sqkF1n76TkRtz9Kg9bh%2Fn8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176423c0c7942bc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1720&min_rtt=1720&rtt_var=860&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=423eD%2FQpc%2BUaugmZ4FC1GKQ7v6gDViA2cp77ZNsftL5ySReJNsgMvVYKF%2By2klEx0VvHC5U2B%2BRhM0VmDXonwkx4sF%2FCkI6B1TIq4L31yJBq12LaWRBLNQs1ijM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91764261bee0de96-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:34 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JJywMMwXP0Si2EqYJuJ9zSRLq2O3i0RKk3x3ceImSq1dIivGq5noiTYtmhNsvs5iYX6ycuzSQJsedwM5Z7%2F0iD0H6FeQsYwAAiZuE7s0eKx7AoL2dyndgOQ0NXc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917642799c4f1902-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1714&rtt_var=857&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BNm5dCwVzcynXENwCK24xI1r6SDp%2FcDOdTbmAJtA%2F9pFT%2B6XvLrtLG5cFcv9sQnh8YolaoYCA6zsLLY3CSNtNObmG7r%2FoBLuTUKlJMb%2FTpAsFfnZZmQb6DnJdhI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176429d5de943ed-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1739&min_rtt=1739&rtt_var=869&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QDJLkAFHsyAQijdXSobpJy%2BEn5xOxWHOmA0XEn5RoaHZnplUv64rEymLARVTS5plEdEU8sqkNHRk3%2FB9BFCEfWd86xarCOprpLFCw3ylG8jBt97vkDzKjCvI6vk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917642aa4ffa433d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2166&min_rtt=2166&rtt_var=1083&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vcyp0dp3nOqliPOjcPit7vhSAp3Z%2Fr3iDP6hqPPVSDSQyxqoZAayK2JNIWar1ohACDMS4MVwT9KflQJ8k2iGp9sZWhLms1lCOCPnTuZsWTonwDKqZfsyzMSNKTo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917642c93cac8c17-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2023&rtt_var=1011&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3xzW2xxgdxjDq6lmUKNlApW0GLVfkQlNyn4B%2FhrU8xBh3r%2BODJ6%2F4deFDp5zUCid9knTXFCI9kHln%2BKF9x8K%2BEi9OqHau6y0apwQpfjYWkQARvB5EmDpBqTfmfw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917642e22b2143fb-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1830&rtt_var=915&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=178&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9HHhCIFiRWSj0qg7gKsSraq061To0v0VF8FYpcFv84t6olsd0ba8qzs9M%2FcJjR%2B5xKCS%2FJOnOpIR52Yz51mk8oJhuHVfPeB2JJrhfpilV7ZvIODsEgkWN0veq6k%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917642ee5af84379-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2501&min_rtt=2501&rtt_var=1250&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NoNBRQUdcwZLl5NkLjHxiy1vH56FRwAlgRdqB%2BfGXZx5rBIowr3E1Oi1PIxtFm6hnMF07mP%2BSOmbEIyKi3i5SmKkLLYGc7So7%2BWB5s5eRa5meudS4Z3Fyr01aYI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643060f7b4319-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2144&min_rtt=2144&rtt_var=1072&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:17:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O4uqUX6zq4uo%2BVVO%2BmC4FGJNBg2JR8NdtNbrETZPry5cytXs6PHcsweVkf46YkiyOnQEhUezg%2Fl6tybn%2BC2vsZ9jvsPFh5uhFNnc%2BJG85wfAUH1JRb46XDciKs0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643127df50f6f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1680&min_rtt=1680&rtt_var=840&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:00 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ghWi5uwpBMij9CL%2F0pULs6iLlnqMoDy6Qp%2FQI6lJi4VmxVqqiyRIfJ89xs0Pj7Y2h5K6A7A0tKYakDy6KRyqBYnXHuG5LN5hI4E1L28u9bE6S%2FgJD%2F02wE2FB%2Bc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176431ddb37de9a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1663&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:02 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sKA7lim6kZH%2BG1grD%2FR6wOXbdyqy3ctxEUYSXWQu4v4K5aZ2rDLsXALNrBpzjUL0PKvckptNgYNy0O7onRVVXSA9FsXl1Y9jhgAXRQDNGVA5kLzSyz924LypNAM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176432b4975438b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2153&min_rtt=2153&rtt_var=1076&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=176&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q%2FLDb6FW%2BJe41fEqCZAjvD0ZKoqSWA1mkHl2UcRQ8Ee%2Fxw8z2ENKGqwTOuKMVWpb7gTdMGjtTVKC1UaYVYHja3uIo4Cb9T0Li9GVGtRhcNDh9HTs%2BUtCbNx0FTc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643372adff799-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1689&min_rtt=1689&rtt_var=844&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zE4zaOvkepr3FvgpfDJGTnnw1xFCw84fupeikXTTVHJCIzUlIv5lK2OW7vf6jdWT2zISDhvVr1o6LmmzYB%2Fnu9z6kEQxSWyKlah4674y2DT9bYcXecG4M%2BMhg5Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91764343184b4343-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1678&rtt_var=839&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:08 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B0Ve7p%2FaEyIqsBNLDIFVeDgDgTiwubCNq5oqujGyUgXP1JEpgamTXD4x9DVEnmE39F2zutIJcfmgoJLh%2Brk826k4vofNn1hZeg4ioYoeo27Ou6rkk1M933jyHoQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176434f78945e60-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1706&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VdYTVnTHuu%2FSfhM%2BZbUd5MNKn5yrKqIVvFJTJeMikpVkqxegU9%2FEqwQWanTDfwZjXNcz%2Botk%2BBghkP5iK25WOnyOSGVKfQfFzxNtIQj2fbQqKVlR1q7SWUVEqIc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176435ceabcc342-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1651&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FANfUY6ry5pTMbm%2By8jct0vJ%2Faq0zNyhgQCPko1emt3ocInlVaK4N%2B7SdAlm8Q5AsbMTPHjXr1XBsvtwUeu1kUTXW6dtN0HQs18uf%2BxAP4sjfeIJIkvh6MspFL4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91764368fa235e7a-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2494&min_rtt=2494&rtt_var=1247&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qnNWxPAZUuvm%2B5ZDxnnfhaSUnE6kSPvY118o53%2FwJJJATKt7nColF0h6PpgtHT6k4wXiMnvVk6poQV%2FUKKnEaNRLRM5%2BNDCadFLeDfKAolsD7Zmh2ACwp%2FzLTbk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643825ecd42ef-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1736&rtt_var=868&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:20 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FHZsld1taFzK5Z4yTun6dxgwO8hvYc%2FArRQg9Yn3qzMWhtAKit%2F%2FfhIx0441ROB2VE5YsEvKvR81QZo%2FJsdNUUcWU2QTymNYBFuUJt%2BpDR5SgXQBd8DoN2JNygI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176439b3c000f65-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=781&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=djFMBXcKmy%2Fj2uwSyuZHh58QELinde637M%2FzHg1sG6s7Q8IIsBCvFhzmM0sI36UdN6FF3D%2BKJOleiGWjonUc235wSVOtikbrC9s4leIVPytI5aKadVEYH5V2A7E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643a689218c4e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1987&rtt_var=993&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=suiIP6L%2FJUOGuYrLOtGYqWxX1faSjrScJ9TFw0r%2BPh4ApSSsVbKx4oYk5ZrU6copnuzYZ1drEjIMd86I9js3pJPXp334gCAyc6PStjT%2BrSwLnv8LxXqCU0BX8Ds%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643b29a49c47c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1647&rtt_var=823&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:25 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FWR9dec6KG1nYyJ23D%2Bs%2F0NES%2FhbpDsMzQ9pTl5huO7L4lBYvGyBKNhawvF7DU%2BgHTx9TKGKW1yiISibO%2BDHtI%2FQOePs%2F%2Bkc0YpJayb2UIt5F4PzpwRevma50cs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643bdc94242b9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2192&min_rtt=2192&rtt_var=1096&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=196&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2al8b6Dlwd61jOnnxGBZ%2Bwq9QGilridPCnRV77teA8%2FfMCbgVkNPAAQ4YYIXLMBJuJMBrhuGVpgmz34REQjvC2%2Fxv%2BIyjEEYkFvjKP5jNbMZ8C%2BTlLtY4IAGkYg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643c8ff5b4219-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2089&min_rtt=2089&rtt_var=1044&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6ND5qGYDuJMKKCy5723JrayZ69Ye21l433oDAvpEUt6AKtsjzmgqyaScDuh4o%2BpX53%2FF03KULFxha5GVtqrg0W7L1cFv6yPNGsXxZGfB8gB5%2B%2FTRFfMk0V4qRiI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643d52e6e1a40-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2655&min_rtt=2655&rtt_var=1327&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:35 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pW2WCvYs8gV0tRmDIf%2F6TTwafgl51s%2BIKvyY4No99LftI6EHoFrh9ycw1qdG6H5eS%2FT0Bwp7x00jpRDYkkt4hD7S392yh3PWZvO8b0BmI3AkZKx8uS0aDNDi%2Fu8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917643f8aff15e64-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1731&min_rtt=1731&rtt_var=865&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:37 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e%2BIOdDa%2Fit8kFWYahIeZDtqksPXy%2BbVrTlLptdcf9Jgn6%2FjnC0rIY%2BFxP5HkZXKHxCKOLbNgWQ83vYp6a3Xak2qCf4B%2B%2BOsul5OyukZ%2FcoV878dFFFMZZOkOHWo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91764403dfcd4211-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1830&rtt_var=915&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Ra11s1gX97tTklF%2FPDgs3jE9rWolc9UqFba3TiQmhjoplWaivXanpi3ScyjT1A6sG%2FudPErLVHEoeTHQKmPAq%2F6NMvQtwTbA5Xrz6rW4dcPYMom97m82mB%2B30o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176440faca40f36-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1682&min_rtt=1682&rtt_var=841&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:40 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MH1OZ4uoByIffEUUeFvtJQRNbeDFgwc0EwgxPzbNEx%2FmHIkmOSyaUg9O4nLjSgKZP8wa0m%2BV2lIuYoj8UH5pJKVhWghx%2BpJiC%2B8OVVpLVZAiyyAA8koRcHFKiFI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176441bbab442da-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1871&min_rtt=1871&rtt_var=935&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:42 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RwKPKMBClllsaBrReAvI5ui0wnuZmr7n8uaFqgg%2B3ppiR%2Bfhsm8VLEwqxGyyOC4rzA8MbOzosFcixyI8b758zDoH%2Bmj9urIQIDzTrH4plABuOFjWOTfrQ0M9AMc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91764427abe6f78d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1532&min_rtt=1532&rtt_var=766&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NUyHh5nvdhBUglSsK4LMn0g%2ByuQBw1f5LwE2lj2U8tXIKjot2y2IJMWBXzGUtRyxhqgQ4fG6Hjwot%2BggQDXvbeKO766gZ5BOZRsgkUss9n93maCHAgFwxRykKDc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176443449d0c339-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fv6DlSvdrWTIzp4PqJev6%2F1DGyCt%2FiawXWN46djhFmZ8yPnf9XFKCtY7CXcIUPjBGA%2F6IBvWdgHSm2bFNHuqGAuN%2B6m0TpCDglHJSA24yc8S6RYnQfvighoOBBo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917644403f34435c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1693&min_rtt=1693&rtt_var=846&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BZ8noRvOUvk8lxUxZ%2BvWJJYnVbx4DnsqgmsDVp2u0K0T%2BuCz5t5Nvlx5hyIkrzxkVSt%2FhcHzTRXgfynBYKO%2FqH7bTDmjIqUdPJ9quTF3yUYHxgY1g%2Frr7y80NOU%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176444bc8607cff-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=11135&min_rtt=11135&rtt_var=5567&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LuGwrC%2BOBdLc1f%2FUFaICl75Avpjr7bBnD78UQk6mJsB762WvSJkJtpk9aoQrSIWjG8ROyxLCbGXqNoAN3RU%2BejWhEl0r%2FDEMboBU6WhO7YCyHpn3GNE%2FX2ec4I8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91764457fc034277-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1747&min_rtt=1747&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:52 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WohY0%2FN23pzkx1IHArpp8PAWbKKAyMm4VGT3vulA8nS2MDirzA2%2BaYwkzED9s1yqPZqZE5tWumv5dCc5yBnQY4z7wM%2F%2Bfq1LsWNhHD%2B06kg67NpzBrPYsJjOLEc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917644643d36c431-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1706&min_rtt=1706&rtt_var=853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uPzAw87Oyw5o4j6ANNBhUtPXKutBZPLnVLRSJVZake0CKfiNKQ2dGtYzIg2SdF2btyKxsxMthSa1OF7GhqltunyDkc%2BD%2BcZ2j1rWXpaVR1AcdI8%2Fri23womi3jc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917644706f99f5f6-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1608&rtt_var=804&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:18:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=82mRkXwgBxIZ9l1vxN0tD%2BLgqmd9UYegmTVOTU4RTWmVm%2FIHF7qmQTMmzAzDeQU1r9XzXsMK9Xs8iSrg7Y07mokIWTrTSqw%2BXKbxtd6%2Bjs94NjnJMp%2BezmSSA4E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176447b8ad542f8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1721&rtt_var=860&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:19:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hibvOAiyKuSCEYNOcyWnTxRO6jDCnBv7inaSpCqhC5lO0zA%2BdutYoEJZ4qcm8n%2BgeMXieep7hDuR6%2F3xIlP2FIUxDvFgAEmL2MY5xv%2FP0reVHoDvJqjW6KOXvI4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9176449f3bef42b3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2526&min_rtt=2526&rtt_var=1263&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:19:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cvlEBXp6qj%2B6M9GmMfnr2SsevS0vP6OCyvvkNxI9wzlM8oPsv2RVhfeuR%2Bg7J5WgzS5CLSbj3m1vG5DuCvj32iWxU2fR3B4TvjvUNdAcLl%2FUhm5z3Sua3iWr3pM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917644ab6e904291-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1746&min_rtt=1746&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:19:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2F%2BeYVblAsl6rrr5pR2u5NoboeGJZHRJ%2BM9uwJwAdQN0QOeh80z6Ry0OBjrQBxm5UvwPToHjs5RPw0KhUdI8xfwv0TmdvG33c2noR24t7Mkt4JdOdJFsWAC3um8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917644b74ed872bc-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2041&min_rtt=2041&rtt_var=1020&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 08:19:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not Foundcf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7HyK2AMpCgMPdAJ5XVz84R1o2TgOvsncTl9XhHfNH3mxNivwXAhW5Rrh5pXmKMVpPF2NrkepMuoK3%2BVXljuc8fXjMimbv50oLxZdQFasb9LQtpqgaRQz9QrbpZ0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917644c35bab42f1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1744&rtt_var=872&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=388&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
                Source: RegSvcs.exe, 00000016.00000002.2913772816.0000000000C28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://88.255.216.16/landpage?op=1&ms=http://touxzw.ir/sss2/five/fre.php
                Source: 7RryusxiMtHBz80.exe, zkqXnJkrWmp.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: 7RryusxiMtHBz80.exe, zkqXnJkrWmp.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: 7RryusxiMtHBz80.exe, zkqXnJkrWmp.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1755927312.000000000365C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1811476991.00000000029E6000.00000004.00000800.00020000.00000000.sdmp, zkqXnJkrWmp.exe, 0000000B.00000002.2162472491.0000000002DDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RegSvcs.exe, RegSvcs.exe, 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1765876723.0000000007932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: 7RryusxiMtHBz80.exe, zkqXnJkrWmp.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 10.2.RegSvcs.exe.3849990.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 10.2.RegSvcs.exe.3849990.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 10.2.RegSvcs.exe.3849990.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 10.2.RegSvcs.exe.3849990.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 10.2.RegSvcs.exe.38639b0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 10.2.RegSvcs.exe.38639b0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 10.2.RegSvcs.exe.38639b0.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 10.2.RegSvcs.exe.38639b0.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000A.00000002.1815755200.0000000003863000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0000000A.00000002.1815755200.0000000003863000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0000000A.00000002.1815755200.0000000003863000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000A.00000002.1815755200.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0000000A.00000002.1815755200.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0000000A.00000002.1815755200.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: Process Memory Space: RegSvcs.exe PID: 7288, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 7856, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_01A242100_2_01A24210
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_01A26F910_2_01A26F91
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_01A2DF6C0_2_01A2DF6C
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078E6A280_2_078E6A28
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078EB5880_2_078EB588
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078EB1500_2_078EB150
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078EBF380_2_078EBF38
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078EBF300_2_078EBF30
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078E9EB00_2_078E9EB0
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078E6A230_2_078E6A23
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078E9A780_2_078E9A78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00E84AE110_2_00E84AE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00E8D6CC10_2_00E8D6CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541C13010_2_0541C130
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541AA5810_2_0541AA58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541F59010_2_0541F590
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541F5A010_2_0541F5A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541E64010_2_0541E640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541C12010_2_0541C120
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541F2A810_2_0541F2A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541F2B810_2_0541F2B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541AA1710_2_0541AA17
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_02B9421011_2_02B94210
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_02B96F9111_2_02B96F91
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_02B9DF6C11_2_02B9DF6C
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_0789EBA811_2_0789EBA8
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_07896A2811_2_07896A28
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_0789B58811_2_0789B588
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_0789B15011_2_0789B150
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_0789BF2811_2_0789BF28
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_0789BF3811_2_0789BF38
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_07899EB011_2_07899EB0
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_07896A1A11_2_07896A1A
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeCode function: 11_2_07899A7811_2_07899A78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0040549C22_2_0040549C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_004029D422_2_004029D4
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe 2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00405B6F appears 42 times
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 1808
                Source: 7RryusxiMtHBz80.exeStatic PE information: invalid certificate
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1766763201.0000000007E10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 7RryusxiMtHBz80.exe
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1764286594.0000000005D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs 7RryusxiMtHBz80.exe
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1755927312.000000000365C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePwJ.exe: vs 7RryusxiMtHBz80.exe
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1764723198.00000000065D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs 7RryusxiMtHBz80.exe
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1760076383.0000000004678000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePwJ.exe: vs 7RryusxiMtHBz80.exe
                Source: 7RryusxiMtHBz80.exe, 00000000.00000002.1754066579.000000000180E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7RryusxiMtHBz80.exe
                Source: 7RryusxiMtHBz80.exe, 00000000.00000000.1661560131.00000000010F6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQWzs.exe: vs 7RryusxiMtHBz80.exe
                Source: 7RryusxiMtHBz80.exeBinary or memory string: OriginalFilenameQWzs.exe: vs 7RryusxiMtHBz80.exe
                Source: 7RryusxiMtHBz80.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 10.2.RegSvcs.exe.3849990.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 10.2.RegSvcs.exe.3849990.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 10.2.RegSvcs.exe.3849990.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 10.2.RegSvcs.exe.3849990.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 10.2.RegSvcs.exe.38639b0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 10.2.RegSvcs.exe.38639b0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 10.2.RegSvcs.exe.38639b0.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 10.2.RegSvcs.exe.38639b0.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000A.00000002.1815755200.0000000003863000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0000000A.00000002.1815755200.0000000003863000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0000000A.00000002.1815755200.0000000003863000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000A.00000002.1815755200.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0000000A.00000002.1815755200.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0000000A.00000002.1815755200.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: Process Memory Space: RegSvcs.exe PID: 7288, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 7856, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 7RryusxiMtHBz80.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: zkqXnJkrWmp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, x9htdCmuuU8lHOxlpm.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, x9htdCmuuU8lHOxlpm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, x9htdCmuuU8lHOxlpm.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, hcgnnAjGQ4KxqADGLY.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, hcgnnAjGQ4KxqADGLY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, hcgnnAjGQ4KxqADGLY.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, jD66woR24O2wyyJgmp.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, jD66woR24O2wyyJgmp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, knVK1B9YljLThomR34.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, knVK1B9YljLThomR34.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb"
                Source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@39/33@1/1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,22_2_0040650A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,22_2_0040434D
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeFile created: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7340
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeMutant created: \Sessions\1\BaseNamedObjects\bcFaWdiHPZ
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\CQYFcTqurOq
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeFile created: C:\Users\user\AppData\Local\Temp\tmp51E8.tmpJump to behavior
                Source: 7RryusxiMtHBz80.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 7RryusxiMtHBz80.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 7RryusxiMtHBz80.exeVirustotal: Detection: 31%
                Source: 7RryusxiMtHBz80.exeReversingLabs: Detection: 26%
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeFile read: C:\Users\user\Desktop\7RryusxiMtHBz80.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\7RryusxiMtHBz80.exe "C:\Users\user\Desktop\7RryusxiMtHBz80.exe"
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp660C.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp7DF9.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7340 -s 1808
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp660C.tmp"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp7DF9.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
                Source: 7RryusxiMtHBz80.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 7RryusxiMtHBz80.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: 7RryusxiMtHBz80.exeStatic file information: File size 1289736 > 1048576
                Source: 7RryusxiMtHBz80.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x132c00
                Source: 7RryusxiMtHBz80.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: 7RryusxiMtHBz80.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Windows.Forms.pdbH source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175581299.0000000006021000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Accessibility.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.ni.pdbRSDS source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdblicy source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb9 source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: RegSvcs.pdb, source: VKLIKWXJXPZTHN.exe, 00000015.00000000.1784975928.0000000000782000.00000002.00000001.01000000.0000000D.sdmp, VKLIKWXJXPZTHN.exe.10.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: tc.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2154325872.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbw source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005F90000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: VKLIKWXJXPZTHN.exe, 00000015.00000000.1784975928.0000000000782000.00000002.00000001.01000000.0000000D.sdmp, VKLIKWXJXPZTHN.exe.10.dr
                Source: Binary string: System.Configuration.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: PwJ.pdbSHA256 source: 7RryusxiMtHBz80.exe, 00000000.00000002.1760076383.0000000004678000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1807575185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zkqXnJkrWmp.exe, 0000000B.00000002.2171131364.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp, WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Core.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.pdbD source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Windows.Forms.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: HP9nLC:\Windows\Microsoft.VisualBasic.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2154325872.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp, WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\dll\System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005F90000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005F90000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: PwJ.pdb source: 7RryusxiMtHBz80.exe, 00000000.00000002.1760076383.0000000004678000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1807575185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, zkqXnJkrWmp.exe, 0000000B.00000002.2171131364.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb" source: zkqXnJkrWmp.exe, 0000000B.00000002.2156852060.0000000001063000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: zkqXnJkrWmp.exe, 0000000B.00000002.2175203001.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.ni.pdb source: WER4A47.tmp.dmp.29.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER4A47.tmp.dmp.29.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 7RryusxiMtHBz80.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: zkqXnJkrWmp.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, x9htdCmuuU8lHOxlpm.cs.Net Code: GEwOF3PwI3Iqm9erBhF System.Reflection.Assembly.Load(byte[])
                Source: 0.2.7RryusxiMtHBz80.exe.5d70000.2.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 10.2.RegSvcs.exe.53d0000.5.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, hcgnnAjGQ4KxqADGLY.cs.Net Code: RVRZqj1kVOlGdFU5GvT System.Reflection.Assembly.Load(byte[])
                Yara detected aPLib compressed binary
                Source: Yara matchFile source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.3849990.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.38639b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1815755200.0000000003863000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1815755200.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7856, type: MEMORYSTR
                Source: 7RryusxiMtHBz80.exeStatic PE information: 0xA9D196A5 [Tue Apr 13 12:31:33 2060 UTC]
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_0344255F push dword ptr [edx+ebp*2-75h]; iretd 0_2_0344256F
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078ED0F9 push ebx; retf 0005h0_2_078ED0FA
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078ED060 push edx; retf 0005h0_2_078ED062
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078ECF89 push ecx; retf 0005h0_2_078ECF8A
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078ECF40 push ecx; retf 0005h0_2_078ECF42
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078ED9A9 push edi; retf 0005h0_2_078ED9AA
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078ED8B0 push esi; retf 0005h0_2_078ED8B2
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078ED8E8 push edi; retf 0005h0_2_078ED8EA
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078E6801 push ss; retf 0005h0_2_078E6802
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078ED801 push ebp; retf 0005h0_2_078ED802
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeCode function: 0_2_078ED879 push esi; retf 0005h0_2_078ED87A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00E8EB00 push ss; ret 10_2_00E8EAD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0541A7E8 pushfd ; retf 10_2_0541A7E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_05419A68 push eax; ret 10_2_05419A69
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_00402AC0 push eax; ret 22_2_00402AD4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_00402AC0 push eax; ret 22_2_00402AFC
                Source: 7RryusxiMtHBz80.exeStatic PE information: section name: .text entropy: 7.804447831596506
                Source: zkqXnJkrWmp.exe.0.drStatic PE information: section name: .text entropy: 7.804447831596506
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, ql0esjx6wrBMGOSW2E.csHigh entropy of concatenated method names: 'BWRoRRLI8K', 'DFwoyvDdQo', 'EiMoLWogWT', 'D5joXHflxJ', 'xlRoNA4axb', 'Fe6ovx5IOG', 'G8Zo3Qw1kV', 'g3do8vjvAB', 'hAIohGEL9Q', 'nQtorNbJIw'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, x9htdCmuuU8lHOxlpm.csHigh entropy of concatenated method names: 'NRTZD6oVWh', 'nHiZAmBork', 'ta8ZfM9c9r', 'y2gZaBAllI', 'yBVZUdaRMI', 'kL2ZGSydVo', 'rM4ZS6PfyY', 'o1oZmfbCyq', 'DuhZkJNIew', 'FVDZQXh2dp'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, Tchhr4dBYaRp8MhARZ.csHigh entropy of concatenated method names: 'HSOuLkeCQZ', 'UInuXrnDbk', 'nYrupvSv5Z', 'QGWuNxZaIk', 'xEPuvkW7bC', 'J72u9gHqP9', 'R1xu3vOgnd', 'LD9u8VPQ3B', 'HHWuEOJuqD', 'byhuheeh3j'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, rMuFR6bcOhSCcMXoH4.csHigh entropy of concatenated method names: 'yEDuYMfuXb', 'Rxpu2dyRUg', 'tLZuuPlGKT', 'GCeuKLskZQ', 'ptgunIoieu', 'mA1u5sPyC3', 'Dispose', 'cwYHAw156C', 'ccQHfyVThP', 'l5fHaop2Ji'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, KlfF01shOMVNn3o49U.csHigh entropy of concatenated method names: 'GYJWvEfvs', 'nUPjRDmj2', 'RYROC8l5U', 'tVkBtgLVa', 'RqRyEPFnY', 'KLtqeAGFG', 'IJZBV0GTQG80kYCpnU', 'qyoNWGOIky4u4qZWyP', 'skjHdpUbN', 'ckO1JZXgF'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, hk3FwOaDDSs7ePrIq0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ULpsdYKf8I', 'oNns0v9gj6', 'z3sszcZULu', 'AdjZenXRi4', 'AYIZiGdngH', 'Te7ZspLWZ0', 'OXuZZ3fqhw', 'pYbvVfPdOTABkg41wD9'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, nv62xZiiIeTAUEtbEa9.csHigh entropy of concatenated method names: 'TIM10uPAvk', 'u2w1zfjWUP', 'bUdKeVXiiW', 'HjDKi2OQMh', 'QEFKsXWKK8', 'BnEKZpVPTq', 'sywK6REqv3', 'UFVKDZqhWH', 'AvCKAfjNpj', 'Pj7KfcIUq4'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, Ewj4rdtnh6NVCZFFvr.csHigh entropy of concatenated method names: 'lXU2Q8xUsT', 'ykv2F6XjZp', 'ToString', 'Peu2A7WTXW', 'JLn2ftec3S', 'qMp2a2pm7b', 'dbm2U5SuOU', 'bkN2GXjwcb', 'dkK2SsTglg', 'vUT2mmRrnD'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, VlWSkmfoHQno7clw52.csHigh entropy of concatenated method names: 'Dispose', 'NSCidcMXoH', 'eBIsXkGydF', 'dOvbVyWWaE', 'WJ6i0Ix3fj', 'VuGizG7T5k', 'ProcessDialogKey', 'SUtsechhr4', 'DYasiRp8Mh', 'fRZssMaiLm'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, TaiLmr0GQPaguATajr.csHigh entropy of concatenated method names: 'bGp1aGBonp', 'vnY1U1fFIW', 'sgN1GLLEYu', 'NQS1SvPa83', 'K4Y1utI0BG', 'iZg1m9vV50', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, IURCeriePyoBfZmHK6B.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ycJ1rt6j1s', 'JTo1PE8QY8', 'G6g1x3gmNC', 'QTb1JcvgYO', 'Ydg1gIoT1w', 'c7Q1MFLWAI', 'U3Q1t72Tjx'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, Uny1tZ3r36xucqmPpU.csHigh entropy of concatenated method names: 'r9KSA30UIL', 'h8KSaNSqMq', 'UsCSGHWp83', 'EtTG0Lwn4c', 'x9XGznA99F', 'WKjSe7o5sP', 'jZISilbnR0', 'd3XSssjZFY', 'a7FSZ15IKb', 'VkxS6v6Wq6'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, fJy5WXqNYidboN26Gj.csHigh entropy of concatenated method names: 'shbUwxu0s1', 'p8FUBepJ45', 'pM7apJFZYO', 'CSFaNGWIJ5', 'j48avqrNrY', 'Fy3a96pXCG', 'yFsa3w53vU', 'meXa873Cjf', 'zwQaE0OQQ3', 'AH2ahd2Mbd'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, eSDb6Z6v0BxiDaJyTL.csHigh entropy of concatenated method names: 'H9SiSD66wo', 'p4Oim2wyyJ', 'pRpiQdaRMp', 'IAAiFYAJy5', 'I26iYGjPXq', 'oW0iI3NDmt', 'rm2hU135FFv1UdwdKb', 'tZNr4Y0wEwXLQIkmwE', 'SDQii9cKKS', 'e7KiZFKMMd'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, jD66woR24O2wyyJgmp.csHigh entropy of concatenated method names: 'yVifJU89Sq', 'dgefgfC8Cs', 'VTZfM2C7wU', 'k0gftpUE6x', 'Trsf77iPpb', 'MqkfTkt9KX', 'KFJfbnExVj', 'P2Ff4VSiqO', 'I51fdmavWT', 'AZmf0r7cpY'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, HEkNxbE2EeHrIJeHeY.csHigh entropy of concatenated method names: 'INLSVy1Qc5', 'y8JScrp0ci', 'PYHSWZXjf0', 'G6vSjmTaek', 'k57SwgbtaT', 'hUOSOlIJLu', 'zIuSBoTKHD', 'ArZSRcy5rG', 'oO9SyO9qgd', 'jMfSqnJGM1'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, Flbje3z3TBSiSAXRWh.csHigh entropy of concatenated method names: 'iJi1OOwIPO', 'DhW1R2APrV', 'v3W1yfVoxg', 'iO31LAUn9E', 'lyH1XD0Utq', 'kdJ1NXL72U', 'Uqk1vO8PTv', 'BuM15EUscr', 'h9J1VH7VRQ', 'd3q1cl5Wo7'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, duKOCli68pd69wxmRDf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xVHCuHsUEs', 'boEC1b7pTk', 'svqCKCFILk', 'g6FCCQFCK1', 'Vl4CnaraCu', 'uGOClT7QfY', 'ivfC5Z10Bu'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, TStc0IyRpdaRMpNAAY.csHigh entropy of concatenated method names: 'xeHajbGQBw', 'Y4YaOGwKIb', 'UkZaRmv710', 'jefayClpCq', 'PT5aYuCSDX', 's34aI7WOql', 'IsPa2tu0XJ', 'WSkaH9ic3x', 'ph8auc2M7e', 'ovFa1WbVsS'
                Source: 0.2.7RryusxiMtHBz80.exe.7e10000.3.raw.unpack, PXqYW0L3NDmtope2lM.csHigh entropy of concatenated method names: 'ogIGDgCdyP', 'FGDGf91MRb', 'pdIGU2taTa', 'K1QGS0WHyg', 'YhCGmok3rR', 'cNHU7r9Hmm', 'whsUTTxh36', 'bNTUbEEvk5', 'pK7U4yE4C0', 'Y3UUd2jOlF'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, fL29SX3JKWHa26kQt4.csHigh entropy of concatenated method names: 'UCVJtVmGwQ', 'ESFJS1F84p', 'KdFJaXVOKr', 'xjyJhfG7IW', 'bOWJjYBOjS', 'zIuaV0R73m', 'UA0aTOUJUb', 'CLqaOgFyT5', 'e5VaGW0PVE', 'ECxad3HjxV'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, JjEFwqeYA2pi2tdEA0.csHigh entropy of concatenated method names: 'ToString', 'pqP8I1c9u2', 'zpr8MxZI1y', 'EeT8Ws4VfA', 'DZX8HBkOhG', 'CsS8kCDwYB', 'Qs28ftF78A', 'AFw8l4Ek52', 'FHc84syD0F', 'yhi8sdZfGF'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, jEAEsIX7FVWtqw3VulQ.csHigh entropy of concatenated method names: 'Iu3KR9xGKV', 'amnKz8yLet', 'ttnFPRJROB', 'SCAYqvVXbBuSKeeZ650', 'z2y52RV5qHUTl2QPO9F', 'D8raFOVqZ9x06uijw4t', 'yqmBt5VIENdYsPiAyO3', 'QBFVXrVC2VgZdnCWtAH', 'EY8tvdVuMh6FgXM9SRL'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, yxTHqcXiMsidREFJDXo.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GN8FgsQXjc', 'iT1Fudy2n2', 'lLiFKfYXEl', 'jYoFFUjEGG', 'U7SFUA7dj9', 'BVLFLSXHri', 'zrAFxw4s8M'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, vWjipLXXwBxLdlFDm7T.csHigh entropy of concatenated method names: 'N7MuRYaNZV', 'vV9uzFGSgx', 'LiMKPinQll', 'GDgKX6Lcoc', 'b8iKDoNxdo', 'exlK7adGrE', 'kuOKiK7lLi', 'cGPKtNkMYh', 'rKLKNLoJie', 'W7aKSwqmr6'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, SUETjriNPUEcYEYNbu.csHigh entropy of concatenated method names: 'w65XhnVK1B', 'PljXjLThom', 'o9rX6FCaOx', 'pI8XCTpX31', 'r7MXoHxNL2', 'DSXX8JKWHa', 'mybJSjqiT0rCyLqPxF', 'KlcsLTIC6wf5KLSrtu', 'v3xXXVTlTX', 'IYAX7F0cpj'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, iZjubMsri4FYc5EPn6.csHigh entropy of concatenated method names: 'cTmhpgmUfr', 'rkVhcCj5UO', 'OkghAMG4GB', 'u6ihwLyHF6', 'dlShbhagC3', 'bVyhQnxXYw', 'kmbhZwIQcX', 'Bmxh9KGFKf', 'Fv1hBYykqu', 'HNah0vOPgm'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, HusxbRmWv71Dtq2tGt.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uNuDdgNs6i', 'vg5DR3hGU0', 'SvADzWgoos', 'ALE7PITAE1', 'fk57XLTbiM', 'TMH7DOpGJk', 'pC477glI4x', 'StlaCG1Vs1qyuaSbNb3'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, ghl0EhORkcusfQSmXN.csHigh entropy of concatenated method names: 'oUkgoYxE6u', 'nDOgv7Vshn', 'VuoggeGwTO', 'ls0gKXxZRQ', 'GOigU2JI4e', 'esdgxdhMyf', 'Dispose', 'D3X1NxI21R', 'TSK1StUmhK', 'p8H1mkEsWl'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, uK1oMND5KJpQKt6Ax9.csHigh entropy of concatenated method names: 'DMaASj4Pg', 'bW0wnqDXV', 'WIPQ3ygRx', 'MlaZv8t11', 'vMNBBxaan', 'lUo0LQlB5', 'vER7hrFSNZld96yClY', 'sgn8jtbRiPIBqOtunO', 'auQ1p26lE', 'Ys1u1v9im'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, P7sQQuzbHRdTKJ62RV.csHigh entropy of concatenated method names: 'hGKuQvenV9', 'OG4u9UMdmX', 'PVIuBR3vHB', 'Dqou3g6fBU', 'YqxuMEn6pe', 'BahuHLEBTB', 'U3xukXgiud', 'atRuxXaEeJ', 'Wk7upgKBVo', 'ypEucrydfn'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, A4rTttd7J68yQ28HSI.csHigh entropy of concatenated method names: 'dAMg3RkU9O', 'nPNgMEfFWA', 'qKugWamcb6', 'l6CgHqPpZS', 'AOOgkphvpT', 'Cwfgfqyppm', 'flRgluEEsK', 'kJSg431JO3', 'ie0gsqWY8Q', 'xsfg2JxD9w'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, knVK1B9YljLThomR34.csHigh entropy of concatenated method names: 'cxISnwWWjW', 'oadSEbEOon', 't5CSeEERGC', 'R41SqhWarC', 'VHISVYEnEN', 'dSTSTdDAK1', 'HbSSOfEdDB', 'eu5SGenlWv', 'ibPSdPrpvK', 'icgSRDI61f'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, oP13NPREag6rAykIvN.csHigh entropy of concatenated method names: 'deQumEIX1B', 'N5rualrqtV', 'HKauJ73OyT', 'KyjuhCHeYY', 'jldug78syy', 'SBOujO5w69', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, I4OfpoB9rFCaOx8I8T.csHigh entropy of concatenated method names: 'NgemwPbx5m', 'UbZmQFUAPJ', 'OXrm9heuRd', 'shWmB4JD1y', 'OpemoVBEwA', 'wb8m83nmqA', 'jLOmvU2hsN', 'aXGm1Jxy2K', 'ipBmgkocX1', 'VokmuSwaSU'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, yX31wU0NkopCE17MHx.csHigh entropy of concatenated method names: 'Lseab4WpNP', 'duJaZ6Ygkv', 'AuCmW1Wu7v', 'dsUmHm9RHd', 'Rg3mklsWCV', 'IqkmfWHV57', 'K1CmlQ1Cts', 'LEpm4i4eeh', 'PdsmsDgRZa', 'bDhm2Y5O4E'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, FHc8UCrmBbRnJ5wDJj.csHigh entropy of concatenated method names: 'wBLy9duG9I', 'TxwyBNI8Nl', 'Lgyy3x2FPl', 'UmAyMXfx5L', 'TeayHNBqJb', 'U29ykoODch', 'LRDylqsJh2', 'fOry4SgeiT', 'FdJy2CMkIh', 'cxMyIFuj1Y'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, iC6v2PXPAevv2n20rB6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YjxuIkWLms', 'fVTuYEcIxS', 'Iyrur8GkAQ', 'FwjunDKmb2', 'IQwuEs8lKr', 'TyPueWwAVO', 'mROuqXes8u'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, vKC1b7TdVtLqMhoMnq.csHigh entropy of concatenated method names: 'EwovGLAE6F', 'Hk1vRdhFiN', 'qd31PMWlci', 'XmP1X9vU0V', 'IJnvIwUFgv', 'z6vvYhVBc2', 'LUTvr4qc7D', 'HStvn1t3pj', 'xVwvEZjUyv', 'FV5veh1Ox0'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, vmM98jS8xa4ivZYyUL.csHigh entropy of concatenated method names: 'Dispose', 'yusXdfQSmX', 'FyrDMikCv4', 'ynSbIsZtjG', 'fHCXRG5WF0', 'wfaXzlMeA5', 'ProcessDialogKey', 'CtwDP4rTtt', 'cJ6DX8yQ28', 'ISIDDoP13N'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, hcgnnAjGQ4KxqADGLY.csHigh entropy of concatenated method names: 'JBv7t720iS', 'y6r7NQ8xTj', 'VYW7SG3Ct6', 'LE07mhSWFy', 'v0H7aFtxT6', 'zk47JjI24j', 'WOw7hShCDU', 'WSN7jSpyXL', 'EH175OSY4B', 'aFm76SAFKZ'
                Source: 10.2.RegSvcs.exe.4207d40.3.raw.unpack, GxRMCtnKCqNFhrP4Jq.csHigh entropy of concatenated method names: 'ORro2ZRKPB', 'st3oYjmx0q', 'CXDonPJXiD', 'mIdoEb8FlV', 'bTCoMs7jJw', 'KHRoWrP0vu', 'M4GoH9NkQZ', 'm7PokDeFSC', 'wWiofFyKgP', 'C3DolwpUht'
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeFile created: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: 7RryusxiMtHBz80.exe PID: 7080, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: zkqXnJkrWmp.exe PID: 7340, type: MEMORYSTR
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory allocated: 1A20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory allocated: 3610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory allocated: 3410000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory allocated: 83F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory allocated: 8030000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory allocated: 93F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory allocated: A3F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeMemory allocated: 2B90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeMemory allocated: 4D90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeMemory allocated: 78A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeMemory allocated: 75B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeMemory allocated: 88A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeMemory allocated: 98A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeMemory allocated: 28C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeMemory allocated: 2A30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeMemory allocated: 4A30000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8205Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8422Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5882
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5567
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exe TID: 6176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep count: 8205 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7688Thread sleep count: 5882 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -2767011611056431s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep count: 112 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep count: 5567 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe TID: 7996Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,22_2_00403D74
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 60000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 60000
                Source: RegSvcs.exe, 00000016.00000002.2913772816.0000000000C28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_0040317B mov eax, dword ptr fs:[00000030h]22_2_0040317B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 22_2_00402B7C GetProcessHeap,RtlAllocateHeap,22_2_00402B7C
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe"
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 496000Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 49A000Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 871008Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7RryusxiMtHBz80.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp51E8.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKLIKWXJXPZTHN" /XML "C:\Users\user\AppData\Local\Temp\tmp660C.tmp"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zkqXnJkrWmp" /XML "C:\Users\user\AppData\Local\Temp\tmp7DF9.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Users\user\Desktop\7RryusxiMtHBz80.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeQueries volume information: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\zkqXnJkrWmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeQueries volume information: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\VKLIKWXJXPZTHN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\Desktop\7RryusxiMtHBz80.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Lokibot
                Source: Yara matchFile source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1815755200.0000000003863000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1815755200.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7288, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7856, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 00000016.00000002.2913772816.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: PopPassword22_2_0040D069
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: SmtpPassword22_2_0040D069
                Source: Yara matchFile source: 22.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.3849990.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.38639b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000002.1811476991.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1815755200.0000000003863000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1815755200.0000000003849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.2912901125.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                Scheduled Task/Job                		1
                Access Token Manipulation                		1
                Deobfuscate/Decode Files or Information                		2
                Credentials in Registry                		13
                System Information Discovery                		Remote Desktop Protocol2
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
                Process Injection                		4
                Obfuscated Files or Information                		Security Account Manager121
                Security Software Discovery                		SMB/Windows Admin Shares1
                Email Collection                		3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Scheduled Task/Job                		12
                Software Packing                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput Capture113
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets41
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                Virtualization/Sandbox Evasion                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron311
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1623477 Sample: 7RryusxiMtHBz80.exe Startdate: 25/02/2025 Architecture: WINDOWS Score: 100 67 touxzw.ir 2->67 85 Suricata IDS alerts for network traffic 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 10 other signatures 2->91 9 7RryusxiMtHBz80.exe 7 2->9         started        13 zkqXnJkrWmp.exe 4 2->13         started        15 VKLIKWXJXPZTHN.exe 2->15         started        signatures3 process4 file5 59 C:\Users\user\AppData\...\zkqXnJkrWmp.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\Local\...\tmp51E8.tmp, XML 9->61 dropped 63 C:\Users\user\...\7RryusxiMtHBz80.exe.log, ASCII 9->63 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 9->93 95 Writes to foreign memory regions 9->95 97 Allocates memory in foreign processes 9->97 101 2 other signatures 9->101 17 RegSvcs.exe 6 9->17         started        21 RegSvcs.exe 9->21         started        23 powershell.exe 23 9->23         started        31 3 other processes 9->31 99 Multi AV Scanner detection for dropped file 13->99 25 schtasks.exe 13->25         started        27 WerFault.exe 13->27         started        29 conhost.exe 15->29         started        signatures6 process7 file8 57 C:\Users\user\AppData\...\VKLIKWXJXPZTHN.exe, PE32 17->57 dropped 69 Adds a directory exclusion to Windows Defender 17->69 33 RegSvcs.exe 17->33         started        37 powershell.exe 17->37         started        39 powershell.exe 17->39         started        49 3 other processes 17->49 71 Tries to steal Mail credentials (via file registry) 21->71 73 Loading BitLocker PowerShell Module 23->73 41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 31->45         started        47 conhost.exe 31->47         started        signatures9 process10 dnsIp11 65 touxzw.ir 104.21.64.1, 49738, 49739, 49740 CLOUDFLARENETUS United States 33->65 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->75 77 Tries to steal Mail credentials (via file / registry access) 33->77 79 Tries to harvest and steal ftp login credentials 33->79 81 Tries to harvest and steal browser information (history, passwords, etc) 33->81 83 Loading BitLocker PowerShell Module 37->83 51 conhost.exe 37->51         started        53 conhost.exe 39->53         started        55 conhost.exe 49->55         started        signatures12 process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.