Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f8PZ0Uuwau.exe

Overview

General Information

Sample name:f8PZ0Uuwau.exe
renamed because original name is a hash value
Original sample name:66f7a8400a5a8abb52ad9adc4ca41322.exe
Analysis ID:1631302
MD5:66f7a8400a5a8abb52ad9adc4ca41322
SHA1:25e6d0352d4d624692ffe4fe20dd3b4a439f4e3c
SHA256:fd9ea5719df01b34d89eb0321b9814855cfc23488226e39e8dfa759a045a3b3b
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Drops PE files to the user root directory
Joe Sandbox ML detected suspicious sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • f8PZ0Uuwau.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\f8PZ0Uuwau.exe" MD5: 66F7A8400A5A8ABB52AD9ADC4CA41322)
    • cmd.exe (PID: 5868 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a10diwg8WT.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 4544 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 1516 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • GKMGkoz6OKxUiMK.exe (PID: 1344 cmdline: "C:\Recovery\GKMGkoz6OKxUiMK.exe" MD5: 66F7A8400A5A8ABB52AD9ADC4CA41322)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://217.144.98.170/providerprotectLinuxwindowstemporary", "MUTEX": "DCR_MUTEX-qOpupbm9NnviqmG8yCPf", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
f8PZ0Uuwau.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    f8PZ0Uuwau.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      f8PZ0Uuwau.exeMALWARE_Win_zgRATDetects zgRATditekSHen
      • 0xa1fb9:$s1: file:///
      • 0xa1ea5:$s2: {11111-22222-10009-11112}
      • 0xa1f49:$s3: {11111-22222-50001-00000}
      • 0x9ef2b:$s4: get_Module
      • 0x94fbd:$s5: Reverse
      • 0x94b8b:$s6: BlockCopy
      • 0x9a9aa:$s7: ReadByte
      • 0x9a9cf:$s7: ReadByte
      • 0xa1fcb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Recovery\YJmVHrch0sXooFp51XQ.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Recovery\YJmVHrch0sXooFp51XQ.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Recovery\YJmVHrch0sXooFp51XQ.exeMALWARE_Win_zgRATDetects zgRATditekSHen
          • 0xa1fb9:$s1: file:///
          • 0xa1ea5:$s2: {11111-22222-10009-11112}
          • 0xa1f49:$s3: {11111-22222-50001-00000}
          • 0x9ef2b:$s4: get_Module
          • 0x94fbd:$s5: Reverse
          • 0x94b8b:$s6: BlockCopy
          • 0x9a9aa:$s7: ReadByte
          • 0x9a9cf:$s7: ReadByte
          • 0xa1fcb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
          C:\Users\Default\Pictures\HlFPCzvxV4123WL.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Users\Default\Pictures\HlFPCzvxV4123WL.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              Click to see the 10 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000005.00000002.3030233088.00000000025C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                00000005.00000002.3030233088.0000000002797000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000000.1776566352.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000005.00000002.3030233088.000000000291D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      00000005.00000002.3030233088.0000000002A9F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Click to see the 3 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.f8PZ0Uuwau.exe.be0000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.f8PZ0Uuwau.exe.be0000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                            0.0.f8PZ0Uuwau.exe.be0000.0.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                            • 0xa1fb9:$s1: file:///
                            • 0xa1ea5:$s2: {11111-22222-10009-11112}
                            • 0xa1f49:$s3: {11111-22222-50001-00000}
                            • 0x9ef2b:$s4: get_Module
                            • 0x94fbd:$s5: Reverse
                            • 0x94b8b:$s6: BlockCopy
                            • 0x9a9aa:$s7: ReadByte
                            • 0x9a9cf:$s7: ReadByte
                            • 0xa1fcb:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\f8PZ0Uuwau.exe, ProcessId: 6644, TargetFilename: C:\Program Files (x86)\microsoft onedrive\setup\logs\audiodg.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2025-03-06T22:26:37.966147+010020480951A Network Trojan was detected192.168.2.449731217.144.98.17080TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: f8PZ0Uuwau.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\Public\lBeseSN4SMg9g9gNua9.exeAvira: detection malicious, Label: TR/AVI.Agent.gbmui
                            Source: C:\Users\user\AppData\Local\Temp\a10diwg8WT.batAvira: detection malicious, Label: BAT/Delbat.C
                            Source: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\audiodg.exeAvira: detection malicious, Label: TR/AVI.Agent.gbmui
                            Source: C:\Users\user\Desktop\KDiUORZU.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeAvira: detection malicious, Label: TR/AVI.Agent.gbmui
                            Source: C:\Users\user\Desktop\UpIKuQiW.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                            Source: C:\Users\Default\Pictures\HlFPCzvxV4123WL.exeAvira: detection malicious, Label: TR/AVI.Agent.gbmui
                            Source: C:\Recovery\YJmVHrch0sXooFp51XQ.exeAvira: detection malicious, Label: TR/AVI.Agent.gbmui
                            Found malware configuration
                            Source: 00000000.00000002.1807780402.0000000012EED000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://217.144.98.170/providerprotectLinuxwindowstemporary", "MUTEX": "DCR_MUTEX-qOpupbm9NnviqmG8yCPf", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeReversingLabs: Detection: 73%
                            Source: C:\Recovery\YJmVHrch0sXooFp51XQ.exeReversingLabs: Detection: 73%
                            Source: C:\Users\Default\Pictures\HlFPCzvxV4123WL.exeReversingLabs: Detection: 73%
                            Source: C:\Users\Public\lBeseSN4SMg9g9gNua9.exeReversingLabs: Detection: 73%
                            Source: C:\Users\user\Desktop\KDiUORZU.logReversingLabs: Detection: 34%
                            Source: C:\Users\user\Desktop\OyklVxPN.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\RHBlSCIj.logReversingLabs: Detection: 25%
                            Source: C:\Users\user\Desktop\UpIKuQiW.logReversingLabs: Detection: 34%
                            Multi AV Scanner detection for submitted file
                            Source: f8PZ0Uuwau.exeVirustotal: Detection: 79%Perma Link
                            Source: f8PZ0Uuwau.exeReversingLabs: Detection: 73%
                            Joe Sandbox ML detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Sample uses string decryption to hide its real strings
                            Source: 00000000.00000002.1807780402.0000000012EED000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-qOpupbm9NnviqmG8yCPf","0","poe","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVW93WTI1V2JFbHBkMmxQUTBrMlNXNVNlV1JYVldsTVEwazFTV3B2YVdSSVNqRmFVMGx6U1dwRmQwbHFiMmxrU0VveFdsTkpjMGxxUlhoSmFtOXBaRWhLTVZwVFNYTkpha1Y1U1dwdmFXUklTakZhVTBselNXcEZla2xxYjJsa1NFb3hXbE5KYzBscVJUQkphbTlwWkVoS01WcFRTamtpWFE9PSJd"]
                            Source: 00000000.00000002.1807780402.0000000012EED000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://217.144.98.170/","providerprotectLinuxwindowstemporary"]]
                            Source: f8PZ0Uuwau.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: f8PZ0Uuwau.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49731 -> 217.144.98.170:80
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: Joe Sandbox ViewASN Name: IHCRUInternet-HostingLtdMoscowRussiaRU IHCRUInternet-HostingLtdMoscowRussiaRU
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 384Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 173364Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1472Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1484Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1000Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1484Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1460Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1008Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1012Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 1500Expect: 100-continueConnection: Keep-Alive
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.144.98.170
                            Source: unknownHTTP traffic detected: POST /providerprotectLinuxwindowstemporary.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 217.144.98.170Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.0000000002797000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.0000000002607000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.000000000291D000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.00000000026D3000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.00000000024D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://217.144.98.170
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.00000000024D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://217.144.98.170/
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.0000000002797000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.0000000002607000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.000000000291D000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.00000000026D3000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.00000000024D8000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.00000000026AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://217.144.98.170/providerprotectLinuxwindowstemporary.php
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.0000000002A9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://217.144H(
                            Source: f8PZ0Uuwau.exe, 00000000.00000002.1806260867.00000000034F2000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.00000000024D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3041729391.000000001E0D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: f8PZ0Uuwau.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
                            Source: 0.0.f8PZ0Uuwau.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Recovery\YJmVHrch0sXooFp51XQ.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Users\Default\Pictures\HlFPCzvxV4123WL.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\audiodg.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Users\Public\lBeseSN4SMg9g9gNua9.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeCode function: 0_2_00007FFD9B560C9D0_2_00007FFD9B560C9D
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeCode function: 0_2_00007FFD9B5658610_2_00007FFD9B565861
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeCode function: 0_2_00007FFD9B5759500_2_00007FFD9B575950
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeCode function: 0_2_00007FFD9B560BA80_2_00007FFD9B560BA8
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B560C9D5_2_00007FFD9B560C9D
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5658615_2_00007FFD9B565861
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B560BA85_2_00007FFD9B560BA8
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5636F25_2_00007FFD9B5636F2
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B59EB905_2_00007FFD9B59EB90
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5A5B5E5_2_00007FFD9B5A5B5E
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B588C255_2_00007FFD9B588C25
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5A54205_2_00007FFD9B5A5420
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B583BFA5_2_00007FFD9B583BFA
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B57A2785_2_00007FFD9B57A278
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B577B3D5_2_00007FFD9B577B3D
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5853345_2_00007FFD9B585334
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5893305_2_00007FFD9B589330
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5871785_2_00007FFD9B587178
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5860735_2_00007FFD9B586073
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B57D1405_2_00007FFD9B57D140
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B58793F5_2_00007FFD9B58793F
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5759505_2_00007FFD9B575950
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5998F65_2_00007FFD9B5998F6
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5827C05_2_00007FFD9B5827C0
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5747945_2_00007FFD9B574794
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5847785_2_00007FFD9B584778
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B59A6A25_2_00007FFD9B59A6A2
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B57E5D85_2_00007FFD9B57E5D8
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B59EDD15_2_00007FFD9B59EDD1
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5915985_2_00007FFD9B591598
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B578E395_2_00007FFD9B578E39
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5926345_2_00007FFD9B592634
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5756185_2_00007FFD9B575618
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5874785_2_00007FFD9B587478
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5A6D4D5_2_00007FFD9B5A6D4D
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5A9D1D5_2_00007FFD9B5A9D1D
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5753D05_2_00007FFD9B5753D0
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5894165_2_00007FFD9B589416
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B57BB325_2_00007FFD9B57BB32
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5861DA5_2_00007FFD9B5861DA
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5A31B05_2_00007FFD9B5A31B0
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B587A055_2_00007FFD9B587A05
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B59C2165_2_00007FFD9B59C216
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5879DE5_2_00007FFD9B5879DE
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5860CC5_2_00007FFD9B5860CC
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B59FFD55_2_00007FFD9B59FFD5
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B583F6A5_2_00007FFD9B583F6A
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5857755_2_00007FFD9B585775
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5A37E15_2_00007FFD9B5A37E1
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B587E3D5_2_00007FFD9B587E3D
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B587DEE5_2_00007FFD9B587DEE
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5871B85_2_00007FFD9B5871B8
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5A0D105_2_00007FFD9B5A0D10
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5A0CF95_2_00007FFD9B5A0CF9
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\EnCFbMsI.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                            Source: f8PZ0Uuwau.exe, 00000000.00000000.1776655553.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs f8PZ0Uuwau.exe
                            Source: f8PZ0Uuwau.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs f8PZ0Uuwau.exe
                            Source: f8PZ0Uuwau.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: f8PZ0Uuwau.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: 0.0.f8PZ0Uuwau.exe.be0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: C:\Recovery\YJmVHrch0sXooFp51XQ.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: C:\Users\Default\Pictures\HlFPCzvxV4123WL.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\audiodg.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: C:\Users\Public\lBeseSN4SMg9g9gNua9.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                            Source: f8PZ0Uuwau.exe, I96oAk47h3UIc10Q1OT.csCryptographic APIs: 'TransformBlock'
                            Source: f8PZ0Uuwau.exe, I96oAk47h3UIc10Q1OT.csCryptographic APIs: 'TransformFinalBlock'
                            Source: f8PZ0Uuwau.exe, I96oAk47h3UIc10Q1OT.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                            Source: f8PZ0Uuwau.exe, syBNDmKbJCLHd0xRUqY.csCryptographic APIs: 'CreateDecryptor'
                            Source: f8PZ0Uuwau.exe, syBNDmKbJCLHd0xRUqY.csCryptographic APIs: 'CreateDecryptor'
                            Source: f8PZ0Uuwau.exe, syBNDmKbJCLHd0xRUqY.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/26@0/1
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Program Files (x86)\microsoft onedrive\setup\logs\audiodg.exeJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\user\Desktop\OyklVxPN.logJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeMutant created: NULL
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-qOpupbm9NnviqmG8yCPf
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\user\AppData\Local\Temp\Eh2MvEvuzaJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a10diwg8WT.bat"
                            Source: f8PZ0Uuwau.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: f8PZ0Uuwau.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: f8PZ0Uuwau.exeVirustotal: Detection: 79%
                            Source: f8PZ0Uuwau.exeReversingLabs: Detection: 73%
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile read: C:\Users\user\Desktop\f8PZ0Uuwau.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\f8PZ0Uuwau.exe "C:\Users\user\Desktop\f8PZ0Uuwau.exe"
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a10diwg8WT.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\GKMGkoz6OKxUiMK.exe "C:\Recovery\GKMGkoz6OKxUiMK.exe"
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a10diwg8WT.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\GKMGkoz6OKxUiMK.exe "C:\Recovery\GKMGkoz6OKxUiMK.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                            Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                            Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: version.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: dwrite.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: winmmbase.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: mmdevapi.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: devobj.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: ksuser.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: avrt.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: audioses.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: powrprof.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: umpdc.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: msacm32.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: midimap.dllJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: f8PZ0Uuwau.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: f8PZ0Uuwau.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: f8PZ0Uuwau.exe, syBNDmKbJCLHd0xRUqY.cs.Net Code: Type.GetTypeFromHandle(Rgqa52vZTccQxefuJQG.rDtFRojV3gD(16777385)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Rgqa52vZTccQxefuJQG.rDtFRojV3gD(16777247)),Type.GetTypeFromHandle(Rgqa52vZTccQxefuJQG.rDtFRojV3gD(16777264))})
                            .NET source code contains potential unpacker
                            Source: f8PZ0Uuwau.exe, ki6UyK3ncCrkRutIt6P.cs.Net Code: MfeH5jRwDX
                            Source: f8PZ0Uuwau.exe, ki6UyK3ncCrkRutIt6P.cs.Net Code: R71fyIfE2Z
                            Source: f8PZ0Uuwau.exe, Ipfjc5e0VAFopr9dwL7.cs.Net Code: Qd8eJmFWOj System.Reflection.Assembly.Load(byte[])
                            Source: f8PZ0Uuwau.exe, Ayt8YwzwHAhWQGMNeb.cs.Net Code: H9UFeY55tR
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B57689E push E8FFFEC2h; retn FFFEh5_2_00007FFD9B576A05
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B575B50 push edx; ret 5_2_00007FFD9B575B52
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B5861AA push esp; ret 5_2_00007FFD9B5861D9
                            Source: f8PZ0Uuwau.exe, d5q3upRr1fA03VExWxC.csHigh entropy of concatenated method names: 'tqwnCTMCIf', 'UjsnDsR7iH', 'XLDnRYWV7u', 'HqHnnyOfO2', 'WfRn9jPePB', 'ge2nes1mJU', 'C3Mn5f4r8g', 'Vq6npNXl9A', 'f5PnBHWS8j', 'v0hnwJ5PlL'
                            Source: f8PZ0Uuwau.exe, GClass0.csHigh entropy of concatenated method names: 'RlUwQgrCB3', 'HJmwjWVSEf', 'Dispose', 'MoveNext', 'vIOw7wPsu3', 'get_Current', 'Reset', 'get_Current', 'method_0', 'c3W'
                            Source: f8PZ0Uuwau.exe, WlcwFfAUWuGhnYMDorH.csHigh entropy of concatenated method names: 'pgoAac1vda', 'Mh9', 'method_0', 'ttFAQEmiZn', 'c0bAZY998n', 'TaLATHBoBE', 'PNUAjFHsx1', 'DtTA2dFddx', 'rPnAiiaNjQ', 'EcUA7NLIDk'
                            Source: f8PZ0Uuwau.exe, yUAjEH1SZEKSIdm8PC3.csHigh entropy of concatenated method names: 'jDY1cfwGOe', 'rno1xHHThM', 'Su91AAUrYu', 'PeL1kcFHdX', 't4q1N12q5B', 'R1B1EAKxnP', 'z3h1U7mKeB', 'Id311rdKUI', 'scS1axG5CN', 'DEL1Q198dN'
                            Source: f8PZ0Uuwau.exe, syBNDmKbJCLHd0xRUqY.csHigh entropy of concatenated method names: 'kclv0f1t2m', 'nW4lBacjpc', 'MomvWllXAq', 'mjHvqBPUIf', 'aegvgYKGUa', 'Af2vSeDQW1', 'SfhFRfxBmff', 'O9RKsLUtBq', 'ulmKOU0QMl', 'g3KKMNFdLn'
                            Source: f8PZ0Uuwau.exe, ki6UyK3ncCrkRutIt6P.csHigh entropy of concatenated method names: 'EWGzH3mN1F', 'YEQzuTjkfn', 'g8HzfOfbet', 'k78z8OA9UL', 'LOIzoHVOWe', 'CanzmMhXnq', 'J2jzzXpLmm', 'sa43xMGjCx', 'rXtFDDtL7cJ', 'SQeFDF5gLha'
                            Source: f8PZ0Uuwau.exe, B45.csHigh entropy of concatenated method names: 'c6CPD3tnAX', 'N2TPFICSvj', 'TvvPCkqJ6i', 'GWmP5casBP', 'OM05qtRBVF', 'M5WdFGoHN0', 'MARdRO3trp', 'dBBdnNgRNY', 'SGb5SbPJMR', 'method_1'
                            Source: f8PZ0Uuwau.exe, t0CDwkJDMM7dWeNplPX.csHigh entropy of concatenated method names: 'V7GXKBn42b', 'CeBJRAhMXv', 'xBPJnTYGtc', 'M5DJ9mH1tO', 'Y8bJej2BpK', 'LVqJIo36ch', 'f6ZJCF7BQO', 'lbYJhcSTWU', 'Pp5JtTguEv', 'wbCJBN6Igt'
                            Source: f8PZ0Uuwau.exe, TcbMTggxQ06d1pnA3AP.csHigh entropy of concatenated method names: 'Dc6gkLlUhX', 'wDigNjDVV0', 'zsxgEc0EjC', 'vpvgUu1tRI', 'rfgg1rCxSC', 'mhtgaaCG86', 'ELPgQX6nC9', 'KLggZKl9k5', 'lxcgTta4Zf', 'audgj13rI4'
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\Public\lBeseSN4SMg9g9gNua9.exeJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Recovery\YJmVHrch0sXooFp51XQ.exeJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\audiodg.exeJump to dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeFile created: C:\Users\user\Desktop\EnCFbMsI.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Recovery\GKMGkoz6OKxUiMK.exeJump to dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeFile created: C:\Users\user\Desktop\UpIKuQiW.logJump to dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeFile created: C:\Users\user\Desktop\RHBlSCIj.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\user\Desktop\OyklVxPN.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\user\Desktop\KDiUORZU.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\user\Desktop\rrHOvvEF.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\Default\Pictures\HlFPCzvxV4123WL.exeJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\Public\lBeseSN4SMg9g9gNua9.exeJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\user\Desktop\OyklVxPN.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\user\Desktop\KDiUORZU.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\user\Desktop\rrHOvvEF.logJump to dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeFile created: C:\Users\user\Desktop\RHBlSCIj.logJump to dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeFile created: C:\Users\user\Desktop\UpIKuQiW.logJump to dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeFile created: C:\Users\user\Desktop\EnCFbMsI.logJump to dropped file

                            Boot Survival

                            barindex
                            Drops PE files to the user root directory
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile created: C:\Users\Public\lBeseSN4SMg9g9gNua9.exeJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
                            Uses ping.exe to sleep
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeMemory allocated: 1120000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeMemory allocated: 1AEE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeMemory allocated: 8F0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeMemory allocated: 1A4C0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599719Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599570Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599453Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599339Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599235Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599110Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598969Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598858Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598750Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598641Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598532Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598407Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 3600000Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598282Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598172Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598063Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 597938Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 597813Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 597687Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 597328Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596838Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596719Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596594Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596485Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596360Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596235Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596110Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595985Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595860Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595735Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595625Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595516Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595391Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595281Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595172Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595063Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594938Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594813Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594703Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594594Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594481Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594375Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594266Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594156Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594046Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 593938Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 593828Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 593717Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWindow / User API: threadDelayed 2438Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeWindow / User API: threadDelayed 7246Jump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\audiodg.exeJump to dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeDropped PE file which has not been started: C:\Users\user\Desktop\EnCFbMsI.logJump to dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeDropped PE file which has not been started: C:\Users\user\Desktop\UpIKuQiW.logJump to dropped file
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeDropped PE file which has not been started: C:\Users\user\Desktop\RHBlSCIj.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeDropped PE file which has not been started: C:\Users\user\Desktop\OyklVxPN.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeDropped PE file which has not been started: C:\Users\user\Desktop\rrHOvvEF.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeDropped PE file which has not been started: C:\Users\user\Desktop\KDiUORZU.logJump to dropped file
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exe TID: 6732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 1620Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -600000s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -599719s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -599570s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -599453s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -599339s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -599235s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -599110s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -598969s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -598858s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -598750s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -598641s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -598532s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -598407s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 6288Thread sleep time: -7200000s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -598282s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -598172s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -598063s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -597938s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -597813s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -597687s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -597328s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -596838s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -596719s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -596594s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -596485s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -596360s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -596235s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -596110s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -595985s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -595860s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -595735s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -595625s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -595516s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -595391s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -595281s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -595172s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -595063s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -594938s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -594813s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -594703s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -594594s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -594481s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -594375s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -594266s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -594156s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -594046s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -593938s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -593828s >= -30000sJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exe TID: 3496Thread sleep time: -593717s >= -30000sJump to behavior
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeCode function: 5_2_00007FFD9B57DD3F GetSystemInfo,5_2_00007FFD9B57DD3F
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 30000Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599719Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599570Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599453Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599339Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599235Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 599110Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598969Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598858Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598750Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598641Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598532Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598407Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 3600000Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598282Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598172Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 598063Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 597938Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 597813Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 597687Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 597328Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596838Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596719Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596594Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596485Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596360Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596235Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 596110Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595985Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595860Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595735Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595625Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595516Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595391Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595281Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595172Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 595063Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594938Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594813Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594703Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594594Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594481Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594375Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594266Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594156Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 594046Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 593938Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 593828Jump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeThread delayed: delay time: 593717Jump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3035626122.000000001260E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                            Source: f8PZ0Uuwau.exe, 00000000.00000002.1805671440.0000000001217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_
                            Source: f8PZ0Uuwau.exe, 00000000.00000002.1808857744.000000001B7F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3028792406.00000000006D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\a10diwg8WT.bat" Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhostJump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\GKMGkoz6OKxUiMK.exe "C:\Recovery\GKMGkoz6OKxUiMK.exe" Jump to behavior
                            Source: GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.0000000002607000.00000004.00000800.00020000.00000000.sdmp, GKMGkoz6OKxUiMK.exe, 00000005.00000002.3030233088.00000000026D3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeQueries volume information: C:\Users\user\Desktop\f8PZ0Uuwau.exe VolumeInformationJump to behavior
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Recovery\GKMGkoz6OKxUiMK.exe VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                            Source: C:\Recovery\GKMGkoz6OKxUiMK.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\f8PZ0Uuwau.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000005.00000002.3030233088.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.3030233088.0000000002797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.3030233088.000000000291D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.3030233088.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1807780402.0000000012EED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: f8PZ0Uuwau.exe PID: 6644, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: GKMGkoz6OKxUiMK.exe PID: 1344, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: f8PZ0Uuwau.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.f8PZ0Uuwau.exe.be0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1776566352.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Recovery\YJmVHrch0sXooFp51XQ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Default\Pictures\HlFPCzvxV4123WL.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\audiodg.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Public\lBeseSN4SMg9g9gNua9.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\GKMGkoz6OKxUiMK.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: f8PZ0Uuwau.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.f8PZ0Uuwau.exe.be0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Recovery\YJmVHrch0sXooFp51XQ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Default\Pictures\HlFPCzvxV4123WL.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\audiodg.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Public\lBeseSN4SMg9g9gNua9.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\GKMGkoz6OKxUiMK.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000005.00000002.3030233088.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.3030233088.0000000002797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.3030233088.000000000291D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.3030233088.0000000002A9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1807780402.0000000012EED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: f8PZ0Uuwau.exe PID: 6644, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: GKMGkoz6OKxUiMK.exe PID: 1344, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: f8PZ0Uuwau.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.f8PZ0Uuwau.exe.be0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1776566352.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Recovery\YJmVHrch0sXooFp51XQ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Default\Pictures\HlFPCzvxV4123WL.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\audiodg.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Public\lBeseSN4SMg9g9gNua9.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\GKMGkoz6OKxUiMK.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: f8PZ0Uuwau.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.f8PZ0Uuwau.exe.be0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Recovery\YJmVHrch0sXooFp51XQ.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Default\Pictures\HlFPCzvxV4123WL.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Program Files (x86)\Microsoft OneDrive\setup\logs\audiodg.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\Public\lBeseSN4SMg9g9gNua9.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\GKMGkoz6OKxUiMK.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid AccountsWindows Management Instrumentation1
                            Scripting                            		12
                            Process Injection                            		122
                            Masquerading                            		OS Credential Dumping21
                            Security Software Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/Job1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		LSASS Memory2
                            Process Discovery                            		Remote Desktop Protocol1
                            Clipboard Data                            		1
                            Non-Application Layer Protocol                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)131
                            Virtualization/Sandbox Evasion                            		Security Account Manager131
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin SharesData from Network Shared Drive11
                            Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                            Process Injection                            		NTDS1
                            Application Window Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Deobfuscate/Decode Files or Information                            		LSA Secrets1
                            Remote System Discovery                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Obfuscated Files or Information                            		Cached Domain Credentials1
                            System Network Configuration Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                            Software Packing                            		DCSync2
                            File and Directory Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                            DLL Side-Loading                            		Proc Filesystem114
                            System Information Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1631302 Sample: f8PZ0Uuwau.exe Startdate: 06/03/2025 Architecture: WINDOWS Score: 100 47 Suricata IDS alerts for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 12 other signatures 2->53 7 f8PZ0Uuwau.exe 4 25 2->7         started        process3 file4 25 C:\Users\user\Desktop\rrHOvvEF.log, PE32 7->25 dropped 27 C:\Users\user\Desktop\OyklVxPN.log, PE32 7->27 dropped 29 C:\Users\user\Desktop\KDiUORZU.log, PE32 7->29 dropped 31 12 other malicious files 7->31 dropped 55 Drops PE files to the user root directory 7->55 11 cmd.exe 1 7->11         started        signatures5 process6 signatures7 57 Uses ping.exe to sleep 11->57 59 Uses ping.exe to check the status of other devices and networks 11->59 14 GKMGkoz6OKxUiMK.exe 14 5 11->14         started        19 conhost.exe 11->19         started        21 PING.EXE 1 11->21         started        23 chcp.com 1 11->23         started        process8 dnsIp9 39 217.144.98.170, 49731, 49732, 49733 IHCRUInternet-HostingLtdMoscowRussiaRU Russian Federation 14->39 33 C:\Users\user\Desktop\UpIKuQiW.log, PE32 14->33 dropped 35 C:\Users\user\Desktop\RHBlSCIj.log, PE32 14->35 dropped 37 C:\Users\user\DesktopnCFbMsI.log, PE32 14->37 dropped 41 Antivirus detection for dropped file 14->41 43 Multi AV Scanner detection for dropped file 14->43 45 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 14->45 file10 signatures11

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.